diff --git a/integration/hsm/hsm_test.go b/integration/hsm/hsm_test.go
index 3ce91c7a845b4..f5556ad724595 100644
--- a/integration/hsm/hsm_test.go
+++ b/integration/hsm/hsm_test.go
@@ -39,6 +39,7 @@ import (
"github.com/gravitational/teleport/lib/auth/authclient"
"github.com/gravitational/teleport/lib/auth/keystore"
"github.com/gravitational/teleport/lib/auth/state"
+ "github.com/gravitational/teleport/lib/auth/storage"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/backend/etcdbk"
"github.com/gravitational/teleport/lib/backend/lite"
@@ -181,7 +182,7 @@ func TestHSMRotation(t *testing.T) {
}
func getAdminClient(authDataDir string, authAddr string) (*authclient.Client, error) {
- identity, err := state.ReadLocalIdentity(
+ identity, err := storage.ReadLocalIdentity(
filepath.Join(authDataDir, teleport.ComponentProcess),
state.IdentityID{Role: types.RoleAdmin})
if err != nil {
diff --git a/integration/instance_test.go b/integration/instance_test.go
index 0c00c6ee4eb4b..baa7f4c79aaa0 100644
--- a/integration/instance_test.go
+++ b/integration/instance_test.go
@@ -33,7 +33,7 @@ import (
"github.com/gravitational/teleport/api/breaker"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib"
- "github.com/gravitational/teleport/lib/auth"
+ "github.com/gravitational/teleport/lib/auth/state"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/cloud/imds"
"github.com/gravitational/teleport/lib/defaults"
@@ -141,7 +141,7 @@ func TestInstanceCertReissue(t *testing.T) {
authCfg.InstanceMetadataClient = imds.NewDisabledIMDSClient()
authRunErrCh := make(chan error, 1)
- authIdentitiesCh := make(chan *auth.Identity, 2)
+ authIdentitiesCh := make(chan *state.Identity, 2)
go func() {
authRunErrCh <- service.Run(ctx, *authCfg, func(cfg *servicecfg.Config) (service.Process, error) {
proc, err := service.NewTeleport(cfg)
@@ -198,7 +198,7 @@ func TestInstanceCertReissue(t *testing.T) {
agentCfg.InstanceMetadataClient = imds.NewDisabledIMDSClient()
agentRunErrCh := make(chan error, 1)
- agentIdentitiesCh := make(chan *auth.Identity, 2)
+ agentIdentitiesCh := make(chan *state.Identity, 2)
go func() {
agentRunErrCh <- service.Run(ctx, *agentCfg, func(cfg *servicecfg.Config) (service.Process, error) {
proc, err := service.NewTeleport(cfg)
diff --git a/lib/auth/init.go b/lib/auth/init.go
index f11a5384b99f8..779b17bcb08f8 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -1117,20 +1117,6 @@ func checkResourceConsistency(ctx context.Context, keyStore *keystore.Manager, c
return nil
}
-// Identity alias left to prevent breaking builds
-// TODO(tross): Delete after teleport.e is updated
-type Identity = state.Identity
-
-// IdentityID alias left to prevent breaking builds
-// TODO(tross): Delete after teleport.e is updated
-type IdentityID = state.IdentityID
-
-// ReadLocalIdentity left to prevent breaking builds
-// TODO(tross): Delete after teleport.e is updated
-func ReadLocalIdentity(dataDir string, id state.IdentityID) (*Identity, error) {
- return state.ReadLocalIdentity(dataDir, id)
-}
-
// GenerateIdentity generates identity for the auth server
func GenerateIdentity(a *Server, id state.IdentityID, additionalPrincipals, dnsNames []string) (*state.Identity, error) {
priv, pub, err := native.GenerateKeyPair()
diff --git a/lib/auth/state/identity.go b/lib/auth/state/identity.go
index 89cf0f84e8afe..e6b5ceb62adb9 100644
--- a/lib/auth/state/identity.go
+++ b/lib/auth/state/identity.go
@@ -17,7 +17,6 @@
package state
import (
- "context"
"crypto/tls"
"crypto/x509"
"fmt"
@@ -338,14 +337,3 @@ func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error) {
Cert: cert,
}, nil
}
-
-// ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the
-// key storage (dataDir).
-func ReadLocalIdentity(dataDir string, id IdentityID) (*Identity, error) {
- storage, err := NewProcessStorage(context.TODO(), dataDir)
- if err != nil {
- return nil, trace.Wrap(err)
- }
- defer storage.Close()
- return storage.ReadIdentity(IdentityCurrent, id.Role)
-}
diff --git a/lib/auth/state/state.go b/lib/auth/state/state.go
index 8a7807e99af71..aa2f7348d0b52 100644
--- a/lib/auth/state/state.go
+++ b/lib/auth/state/state.go
@@ -19,53 +19,12 @@
package state
import (
- "context"
- "encoding/json"
- "strings"
-
"github.com/coreos/go-semver/semver"
"github.com/gravitational/trace"
- "github.com/gravitational/teleport/api/client/proto"
"github.com/gravitational/teleport/api/types"
- "github.com/gravitational/teleport/lib/backend"
- "github.com/gravitational/teleport/lib/utils"
)
-// backend implements abstraction over local or remote storage backend methods
-// required for Identity/State storage.
-// As in backend.Backend, Item keys are assumed to be valid UTF8, which may be enforced by the
-// various Backend implementations.
-type stateBackend interface {
- // Create creates item if it does not exist
- Create(ctx context.Context, i backend.Item) (*backend.Lease, error)
- // Put puts value into backend (creates if it does not
- // exists, updates it otherwise)
- Put(ctx context.Context, i backend.Item) (*backend.Lease, error)
- // Get returns a single item or not found error
- Get(ctx context.Context, key []byte) (*backend.Item, error)
-}
-
-// ProcessStorage is a backend for local process state,
-// it helps to manage rotation for certificate authorities
-// and keeps local process credentials - x509 and SSH certs and keys.
-type ProcessStorage struct {
- // BackendStorage is the SQLite backend used for operations unrelated to storing/reading identities and states.
- BackendStorage backend.Backend
-
- // stateStorage is the backend to store agents' identities and states.
- // it is not required to close stateBackend storage because it's either the same as BackendStorage or it is Kubernetes
- // which does not require any close method
- stateStorage stateBackend
-}
-
-// Close closes all resources used by process storage backend.
-func (p *ProcessStorage) Close() error {
- // we do not need to close stateBackend storage because it's either the same as backend or it's kubernetes
- // which does not require any close method
- return p.BackendStorage.Close()
-}
-
const (
// IdentityCurrent is a name for the identity credentials that are
// currently used by the process.
@@ -75,134 +34,8 @@ const (
IdentityReplacement = "replacement"
// stateName is an internal resource object name
stateName = "state"
- // statesPrefix is a key prefix for object states
- statesPrefix = "states"
- // idsPrefix is a key prefix for identities
- idsPrefix = "ids"
)
-// GetState reads rotation state from disk.
-func (p *ProcessStorage) GetState(ctx context.Context, role types.SystemRole) (*StateV2, error) {
- item, err := p.stateStorage.Get(ctx, backend.Key(statesPrefix, strings.ToLower(role.String()), stateName))
- if err != nil {
- return nil, trace.Wrap(err)
- }
- var res StateV2
- if err := utils.FastUnmarshal(item.Value, &res); err != nil {
- return nil, trace.BadParameter(err.Error())
- }
-
- // an empty InitialLocalVersion is treated as an error by CheckAndSetDefaults, but if the field
- // is missing in the underlying storage, that indicates the state was written by an older version of
- // teleport that didn't record InitialLocalVersion. In that case, we set a sentinel value to indicate
- // that the version is unknown rather than being erroneously omitted.
- if res.Spec.InitialLocalVersion == "" {
- res.Spec.InitialLocalVersion = unknownLocalVersion
- }
-
- if err := res.CheckAndSetDefaults(); err != nil {
- return nil, trace.Wrap(err)
- }
- return &res, nil
-}
-
-// CreateState creates process state if it does not exist yet.
-func (p *ProcessStorage) CreateState(role types.SystemRole, state StateV2) error {
- if err := state.CheckAndSetDefaults(); err != nil {
- return trace.Wrap(err)
- }
- value, err := json.Marshal(state)
- if err != nil {
- return trace.Wrap(err)
- }
- item := backend.Item{
- Key: backend.Key(statesPrefix, strings.ToLower(role.String()), stateName),
- Value: value,
- }
- _, err = p.stateStorage.Create(context.TODO(), item)
- if err != nil {
- return trace.Wrap(err)
- }
- return nil
-}
-
-// WriteState writes local cluster state to the backend.
-func (p *ProcessStorage) WriteState(role types.SystemRole, state StateV2) error {
- if err := state.CheckAndSetDefaults(); err != nil {
- return trace.Wrap(err)
- }
- value, err := json.Marshal(state)
- if err != nil {
- return trace.Wrap(err)
- }
- item := backend.Item{
- Key: backend.Key(statesPrefix, strings.ToLower(role.String()), stateName),
- Value: value,
- }
- _, err = p.stateStorage.Put(context.TODO(), item)
- if err != nil {
- return trace.Wrap(err)
- }
- return nil
-}
-
-// ReadIdentity reads identity using identity name and role.
-func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*Identity, error) {
- if name == "" {
- return nil, trace.BadParameter("missing parameter name")
- }
- item, err := p.stateStorage.Get(context.TODO(), backend.Key(idsPrefix, strings.ToLower(role.String()), name))
- if err != nil {
- return nil, trace.Wrap(err)
- }
- var res IdentityV2
- if err := utils.FastUnmarshal(item.Value, &res); err != nil {
- return nil, trace.BadParameter(err.Error())
- }
- if err := res.CheckAndSetDefaults(); err != nil {
- return nil, trace.Wrap(err)
- }
- return ReadIdentityFromKeyPair(res.Spec.Key, &proto.Certs{
- SSH: res.Spec.SSHCert,
- TLS: res.Spec.TLSCert,
- TLSCACerts: res.Spec.TLSCACerts,
- SSHCACerts: res.Spec.SSHCACerts,
- })
-}
-
-// WriteIdentity writes identity to the backend.
-func (p *ProcessStorage) WriteIdentity(name string, id Identity) error {
- res := IdentityV2{
- ResourceHeader: types.ResourceHeader{
- Kind: types.KindIdentity,
- Version: types.V2,
- Metadata: types.Metadata{
- Name: name,
- },
- },
- Spec: IdentitySpecV2{
- Key: id.KeyBytes,
- SSHCert: id.CertBytes,
- TLSCert: id.TLSCertBytes,
- TLSCACerts: id.TLSCACertsBytes,
- SSHCACerts: id.SSHCACertBytes,
- },
- }
- if err := res.CheckAndSetDefaults(); err != nil {
- return trace.Wrap(err)
- }
- value, err := json.Marshal(res)
- if err != nil {
- return trace.Wrap(err)
- }
- item := backend.Item{
- Key: backend.Key(idsPrefix, strings.ToLower(id.ID.Role.String()), name),
- Value: value,
- }
- _, err = p.stateStorage.Put(context.TODO(), item)
- return trace.Wrap(err)
-}
-
// StateV2 is a local process state.
type StateV2 struct {
// ResourceHeader is a common resource header.
@@ -214,7 +47,7 @@ type StateV2 struct {
// GetInitialLocalVersion gets the initial local version string. If ok is false it indicates that
// this state value was written by a teleport agent that was too old to record the initial local version.
func (s *StateV2) GetInitialLocalVersion() (v string, ok bool) {
- return s.Spec.InitialLocalVersion, s.Spec.InitialLocalVersion != unknownLocalVersion
+ return s.Spec.InitialLocalVersion, s.Spec.InitialLocalVersion != UnknownLocalVersion
}
// CheckAndSetDefaults checks and sets defaults values.
@@ -242,10 +75,10 @@ func (s *StateV2) CheckAndSetDefaults() error {
return nil
}
-// unknownVersion is a sentinel value used to distinguish between InitialLocalVersion being missing from
+// UnknownVersion is a sentinel value used to distinguish between InitialLocalVersion being missing from
// state due to malformed input and InitialLocalVersion being missing due to the state having been created before
// teleport started recording InitialLocalVersion.
-const unknownLocalVersion = "unknown"
+const UnknownLocalVersion = "unknown"
// StateSpecV2 is a state spec.
type StateSpecV2 struct {
diff --git a/lib/auth/storage/storage.go b/lib/auth/storage/storage.go
new file mode 100644
index 0000000000000..2930760b66b49
--- /dev/null
+++ b/lib/auth/storage/storage.go
@@ -0,0 +1,215 @@
+// Teleport
+// Copyright (C) 2024 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see .
+
+// Package storage provides a mechanism for interacting with
+// the persisted state of a Teleport process.
+//
+// The state is either persisted locally on disk of the Teleport
+// process via sqlite, or if running in Kubernetes, to a Kubernetes
+// secret. Callers should take care when importing this package as
+// it can cause dependency trees to expand rapidly and also requires
+// that cgo is enbaled in order to leverage sqlite.
+package storage
+
+import (
+ "context"
+ "encoding/json"
+ "strings"
+
+ "github.com/gravitational/trace"
+
+ "github.com/gravitational/teleport/api/client/proto"
+ "github.com/gravitational/teleport/api/types"
+ "github.com/gravitational/teleport/lib/auth/state"
+ "github.com/gravitational/teleport/lib/backend"
+ "github.com/gravitational/teleport/lib/utils"
+)
+
+const (
+ // stateName is an internal resource object name
+ stateName = "state"
+ // statesPrefix is a key prefix for object states
+ statesPrefix = "states"
+ // idsPrefix is a key prefix for identities
+ idsPrefix = "ids"
+)
+
+// stateBackend implements abstraction over local or remote storage backend methods
+// required for Identity/State storage.
+// As in backend.Backend, Item keys are assumed to be valid UTF8, which may be enforced by the
+// various Backend implementations.
+type stateBackend interface {
+ // Create creates item if it does not exist
+ Create(ctx context.Context, i backend.Item) (*backend.Lease, error)
+ // Put puts value into backend (creates if it does not
+ // exists, updates it otherwise)
+ Put(ctx context.Context, i backend.Item) (*backend.Lease, error)
+ // Get returns a single item or not found error
+ Get(ctx context.Context, key []byte) (*backend.Item, error)
+}
+
+// ProcessStorage is a backend for local process state,
+// it helps to manage rotation for certificate authorities
+// and keeps local process credentials - x509 and SSH certs and keys.
+type ProcessStorage struct {
+ // BackendStorage is the SQLite backend used for operations unrelated to storing/reading identities and states.
+ BackendStorage backend.Backend
+
+ // stateStorage is the backend to store agents' identities and states.
+ // it is not required to close stateBackend storage because it's either the same as BackendStorage or it is Kubernetes
+ // which does not require any close method
+ stateStorage stateBackend
+}
+
+// Close closes all resources used by process storage backend.
+func (p *ProcessStorage) Close() error {
+ // we do not need to close stateBackend storage because it's either the same as backend or it's kubernetes
+ // which does not require any close method
+ return p.BackendStorage.Close()
+}
+
+// GetState reads rotation state from disk.
+func (p *ProcessStorage) GetState(ctx context.Context, role types.SystemRole) (*state.StateV2, error) {
+ item, err := p.stateStorage.Get(ctx, backend.Key(statesPrefix, strings.ToLower(role.String()), stateName))
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ var res state.StateV2
+ if err := utils.FastUnmarshal(item.Value, &res); err != nil {
+ return nil, trace.BadParameter(err.Error())
+ }
+
+ // an empty InitialLocalVersion is treated as an error by CheckAndSetDefaults, but if the field
+ // is missing in the underlying storage, that indicates the state was written by an older version of
+ // teleport that didn't record InitialLocalVersion. In that case, we set a sentinel value to indicate
+ // that the version is unknown rather than being erroneously omitted.
+ if res.Spec.InitialLocalVersion == "" {
+ res.Spec.InitialLocalVersion = state.UnknownLocalVersion
+ }
+
+ if err := res.CheckAndSetDefaults(); err != nil {
+ return nil, trace.Wrap(err)
+ }
+ return &res, nil
+}
+
+// CreateState creates process state if it does not exist yet.
+func (p *ProcessStorage) CreateState(role types.SystemRole, state state.StateV2) error {
+ if err := state.CheckAndSetDefaults(); err != nil {
+ return trace.Wrap(err)
+ }
+ value, err := json.Marshal(state)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ item := backend.Item{
+ Key: backend.Key(statesPrefix, strings.ToLower(role.String()), stateName),
+ Value: value,
+ }
+ _, err = p.stateStorage.Create(context.TODO(), item)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ return nil
+}
+
+// WriteState writes local cluster state to the backend.
+func (p *ProcessStorage) WriteState(role types.SystemRole, state state.StateV2) error {
+ if err := state.CheckAndSetDefaults(); err != nil {
+ return trace.Wrap(err)
+ }
+ value, err := json.Marshal(state)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ item := backend.Item{
+ Key: backend.Key(statesPrefix, strings.ToLower(role.String()), stateName),
+ Value: value,
+ }
+ _, err = p.stateStorage.Put(context.TODO(), item)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ return nil
+}
+
+// ReadIdentity reads identity using identity name and role.
+func (p *ProcessStorage) ReadIdentity(name string, role types.SystemRole) (*state.Identity, error) {
+ if name == "" {
+ return nil, trace.BadParameter("missing parameter name")
+ }
+ item, err := p.stateStorage.Get(context.TODO(), backend.Key(idsPrefix, strings.ToLower(role.String()), name))
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ var res state.IdentityV2
+ if err := utils.FastUnmarshal(item.Value, &res); err != nil {
+ return nil, trace.BadParameter(err.Error())
+ }
+ if err := res.CheckAndSetDefaults(); err != nil {
+ return nil, trace.Wrap(err)
+ }
+ return state.ReadIdentityFromKeyPair(res.Spec.Key, &proto.Certs{
+ SSH: res.Spec.SSHCert,
+ TLS: res.Spec.TLSCert,
+ TLSCACerts: res.Spec.TLSCACerts,
+ SSHCACerts: res.Spec.SSHCACerts,
+ })
+}
+
+// WriteIdentity writes identity to the backend.
+func (p *ProcessStorage) WriteIdentity(name string, id state.Identity) error {
+ res := state.IdentityV2{
+ ResourceHeader: types.ResourceHeader{
+ Kind: types.KindIdentity,
+ Version: types.V2,
+ Metadata: types.Metadata{
+ Name: name,
+ },
+ },
+ Spec: state.IdentitySpecV2{
+ Key: id.KeyBytes,
+ SSHCert: id.CertBytes,
+ TLSCert: id.TLSCertBytes,
+ TLSCACerts: id.TLSCACertsBytes,
+ SSHCACerts: id.SSHCACertBytes,
+ },
+ }
+ if err := res.CheckAndSetDefaults(); err != nil {
+ return trace.Wrap(err)
+ }
+ value, err := json.Marshal(res)
+ if err != nil {
+ return trace.Wrap(err)
+ }
+ item := backend.Item{
+ Key: backend.Key(idsPrefix, strings.ToLower(id.ID.Role.String()), name),
+ Value: value,
+ }
+ _, err = p.stateStorage.Put(context.TODO(), item)
+ return trace.Wrap(err)
+}
+
+// ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the
+// key storage (dataDir).
+func ReadLocalIdentity(dataDir string, id state.IdentityID) (*state.Identity, error) {
+ storage, err := NewProcessStorage(context.TODO(), dataDir)
+ if err != nil {
+ return nil, trace.Wrap(err)
+ }
+ defer storage.Close()
+ return storage.ReadIdentity(state.IdentityCurrent, id.Role)
+}
diff --git a/lib/auth/state/state_unix.go b/lib/auth/storage/storage_unix.go
similarity index 99%
rename from lib/auth/state/state_unix.go
rename to lib/auth/storage/storage_unix.go
index 9ab1379d5b5ee..7bdc6a227b8c0 100644
--- a/lib/auth/state/state_unix.go
+++ b/lib/auth/storage/storage_unix.go
@@ -19,7 +19,7 @@
* along with this program. If not, see .
*/
-package state
+package storage
import (
"context"
diff --git a/lib/auth/state/state_windows.go b/lib/auth/storage/storage_windows.go
similarity index 98%
rename from lib/auth/state/state_windows.go
rename to lib/auth/storage/storage_windows.go
index a5246017ed1ee..3c262a2802199 100644
--- a/lib/auth/state/state_windows.go
+++ b/lib/auth/storage/storage_windows.go
@@ -19,7 +19,7 @@
* along with this program. If not, see .
*/
-package state
+package storage
import (
"context"
diff --git a/lib/service/service.go b/lib/service/service.go
index 933cf62b05fc3..3055c2fcb4abd 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -89,6 +89,7 @@ import (
"github.com/gravitational/teleport/lib/auth/keygen"
"github.com/gravitational/teleport/lib/auth/native"
"github.com/gravitational/teleport/lib/auth/state"
+ "github.com/gravitational/teleport/lib/auth/storage"
"github.com/gravitational/teleport/lib/authz"
"github.com/gravitational/teleport/lib/automaticupgrades"
"github.com/gravitational/teleport/lib/backend"
@@ -406,7 +407,7 @@ type TeleportProcess struct {
forkedTeleportCount atomic.Int32
// storage is a server local storage
- storage *state.ProcessStorage
+ storage *storage.ProcessStorage
// id is a process id - used to identify different processes
// during in-process reloads.
@@ -918,7 +919,7 @@ func NewTeleport(cfg *servicecfg.Config) (*TeleportProcess, error) {
}
supervisor := NewSupervisor(processID, cfg.Log)
- storage, err := state.NewProcessStorage(supervisor.ExitContext(), filepath.Join(cfg.DataDir, teleport.ComponentProcess))
+ storage, err := storage.NewProcessStorage(supervisor.ExitContext(), filepath.Join(cfg.DataDir, teleport.ComponentProcess))
if err != nil {
return nil, trace.Wrap(err)
}
diff --git a/tool/tctl/common/admin_action_test.go b/tool/tctl/common/admin_action_test.go
index 52ee2bcc9ad10..48d9bec14bdcc 100644
--- a/tool/tctl/common/admin_action_test.go
+++ b/tool/tctl/common/admin_action_test.go
@@ -45,6 +45,7 @@ import (
"github.com/gravitational/teleport/lib/auth/mocku2f"
"github.com/gravitational/teleport/lib/auth/native"
"github.com/gravitational/teleport/lib/auth/state"
+ "github.com/gravitational/teleport/lib/auth/storage"
wancli "github.com/gravitational/teleport/lib/auth/webauthncli"
wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
libclient "github.com/gravitational/teleport/lib/client"
@@ -1065,7 +1066,7 @@ func newAdminActionTestSuite(t *testing.T) *adminActionTestSuite {
hostUUID, err := utils.ReadHostUUID(process.Config.DataDir)
require.NoError(t, err)
- localAdmin, err := state.ReadLocalIdentity(
+ localAdmin, err := storage.ReadLocalIdentity(
filepath.Join(process.Config.DataDir, teleport.ComponentProcess),
state.IdentityID{Role: types.RoleAdmin, HostUUID: hostUUID},
)
diff --git a/tool/tctl/common/tctl.go b/tool/tctl/common/tctl.go
index 4a4b502915001..24af9c1da1a24 100644
--- a/tool/tctl/common/tctl.go
+++ b/tool/tctl/common/tctl.go
@@ -42,6 +42,7 @@ import (
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/auth/authclient"
"github.com/gravitational/teleport/lib/auth/state"
+ "github.com/gravitational/teleport/lib/auth/storage"
"github.com/gravitational/teleport/lib/client"
"github.com/gravitational/teleport/lib/client/identityfile"
libmfa "github.com/gravitational/teleport/lib/client/mfa"
@@ -388,7 +389,7 @@ func ApplyConfig(ccf *GlobalCLIFlags, cfg *servicecfg.Config) (*authclient.Confi
}
return nil, trace.Wrap(err)
}
- identity, err := state.ReadLocalIdentity(filepath.Join(cfg.DataDir, teleport.ComponentProcess), state.IdentityID{Role: types.RoleAdmin, HostUUID: cfg.HostUUID})
+ identity, err := storage.ReadLocalIdentity(filepath.Join(cfg.DataDir, teleport.ComponentProcess), state.IdentityID{Role: types.RoleAdmin, HostUUID: cfg.HostUUID})
if err != nil {
// The "admin" identity is not present? This means the tctl is running
// NOT on the auth server
diff --git a/tool/teleport/testenv/test_server.go b/tool/teleport/testenv/test_server.go
index 8160937529c15..aa479fa51dd41 100644
--- a/tool/teleport/testenv/test_server.go
+++ b/tool/teleport/testenv/test_server.go
@@ -49,6 +49,7 @@ import (
"github.com/gravitational/teleport/lib/auth/authclient"
"github.com/gravitational/teleport/lib/auth/native"
"github.com/gravitational/teleport/lib/auth/state"
+ "github.com/gravitational/teleport/lib/auth/storage"
"github.com/gravitational/teleport/lib/backend"
"github.com/gravitational/teleport/lib/cloud/imds"
"github.com/gravitational/teleport/lib/defaults"
@@ -653,7 +654,7 @@ func MakeDefaultAuthClient(t *testing.T, process *service.TeleportProcess) *auth
hostUUID, err := utils.ReadHostUUID(process.Config.DataDir)
require.NoError(t, err)
- identity, err := state.ReadLocalIdentity(
+ identity, err := storage.ReadLocalIdentity(
filepath.Join(cfg.DataDir, teleport.ComponentProcess),
state.IdentityID{Role: types.RoleAdmin, HostUUID: hostUUID},
)