Naji/proxy peering client

constants.go

@@ -116,6 +116,9 @@ const (
 	// ComponentProxy is SSH proxy (SSH server forwarding connections)
 	ComponentProxy = "proxy"
 
+	// ComponentProxyPeer is the proxy peering component of the proxy service
+	ComponentProxyPeer = "proxy:peer"
+
 	// ComponentApp is the application proxy service.
 	ComponentApp = "app:service"
 

go.mod

@@ -51,7 +51,7 @@ require (
 	github.com/gravitational/reporting v0.0.0-20210923183620-237377721140
 	github.com/gravitational/roundtrip v1.0.1
 	github.com/gravitational/teleport/api v0.0.0
-	github.com/gravitational/trace v1.1.17
+	github.com/gravitational/trace v1.1.18
 	github.com/gravitational/ttlmap v0.0.0-20171116003245-91fd36b9004c
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/openmetrics/v2 v2.0.0-20220308023801-e4a6915ea237
 	github.com/hashicorp/golang-lru v0.5.4
@@ -103,6 +103,7 @@ require (
 	google.golang.org/api v0.65.0
 	google.golang.org/genproto v0.0.0-20220118154757-00ab72f36ad5
 	google.golang.org/grpc v1.43.0
+	google.golang.org/grpc/examples v0.0.0-20220317213542-f95b001a48df
 	google.golang.org/protobuf v1.27.1
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/ini.v1 v1.62.0

go.sum

@@ -521,8 +521,9 @@ github.com/gravitational/reporting v0.0.0-20210923183620-237377721140/go.mod h1:
 github.com/gravitational/roundtrip v1.0.1 h1:eD/y0av12Gu9VIwNgPY/ltmpeVk0Azek/yIJvOPuTuY=
 github.com/gravitational/roundtrip v1.0.1/go.mod h1:qccpLd30tAJVSpx7aOEEnws4ZT3njPwdbtT8lNQxbAs=
 github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf/go.mod h1:zXqxTI6jXDdKnlf8s+nT+3c8LrwUEy3yNpO4XJL90lA=
-github.com/gravitational/trace v1.1.17 h1:BkF30oLm1aKMZ5SPVbnlVbYtYEsG26zHxA4dJ+Z46dM=
 github.com/gravitational/trace v1.1.17/go.mod h1:n0ijrq6psJY0sOI/NzLp+xdd8xl79jjwzVOFHDY6+kQ=
+github.com/gravitational/trace v1.1.18 h1:Ulobib6xd5g1ct+ZC01HPAEvODws7QerjuTY9L4U8pY=
+github.com/gravitational/trace v1.1.18/go.mod h1:n0ijrq6psJY0sOI/NzLp+xdd8xl79jjwzVOFHDY6+kQ=
 github.com/gravitational/ttlmap v0.0.0-20171116003245-91fd36b9004c h1:C2iWDiod8vQ3YnOiCdMP9qYeg2UifQ8KSk36r0NswSE=
 github.com/gravitational/ttlmap v0.0.0-20171116003245-91fd36b9004c/go.mod h1:erKVikttPjeHKDCQZcqowEqiccy23cJAqPadZgfjNm8=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
@@ -1565,6 +1566,8 @@ google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ5
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/grpc/examples v0.0.0-20200723182653-9106c3fff523/go.mod h1:5j1uub0jRGhRiSghIlrThmBUgcgLXOVJQ/l1getT4uo=
 google.golang.org/grpc/examples v0.0.0-20210424002626-9572fd6faeae/go.mod h1:Ly7ZA/ARzg8fnPU9TyZIxoz33sEUuWX7txiqs8lPTgE=
+google.golang.org/grpc/examples v0.0.0-20220317213542-f95b001a48df h1:7Gq+gDOOhAZ1zuhvFhzTbC7jlpSfRGyxaJC4zqSzo6s=
+google.golang.org/grpc/examples v0.0.0-20220317213542-f95b001a48df/go.mod h1:wKDg0brwMZpaizQ1i7IzYcJjH1TmbJudYdnQC9+J+LE=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

lib/auth/middleware.go

@@ -412,12 +412,12 @@ func (a *Middleware) UnaryInterceptor() grpc.UnaryServerInterceptor {
 	if a.GRPCMetrics != nil {
 		return utils.ChainUnaryServerInterceptors(
 			om.UnaryServerInterceptor(a.GRPCMetrics),
-			utils.ErrorConvertUnaryInterceptor,
+			utils.GRPCServerUnaryErrorInterceptor,
 			a.Limiter.UnaryServerInterceptorWithCustomRate(getCustomRate),
 			a.withAuthenticatedUserUnaryInterceptor)
 	}
 	return utils.ChainUnaryServerInterceptors(
-		utils.ErrorConvertUnaryInterceptor,
+		utils.GRPCServerUnaryErrorInterceptor,
 		a.Limiter.UnaryServerInterceptorWithCustomRate(getCustomRate),
 		a.withAuthenticatedUserUnaryInterceptor)
 }
@@ -429,12 +429,12 @@ func (a *Middleware) StreamInterceptor() grpc.StreamServerInterceptor {
 	if a.GRPCMetrics != nil {
 		return utils.ChainStreamServerInterceptors(
 			om.StreamServerInterceptor(a.GRPCMetrics),
-			utils.ErrorConvertStreamInterceptor,
+			utils.GRPCServerStreamErrorInterceptor,
 			a.Limiter.StreamServerInterceptor,
 			a.withAuthenticatedUserStreamInterceptor)
 	}
 	return utils.ChainStreamServerInterceptors(
-		utils.ErrorConvertStreamInterceptor,
+		utils.GRPCServerStreamErrorInterceptor,
 		a.Limiter.StreamServerInterceptor,
 		a.withAuthenticatedUserStreamInterceptor)
 }

lib/proxy/auth.go

@@ -17,6 +17,7 @@ package proxy
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"net"
 
 	"github.com/gravitational/teleport/api/types"
@@ -98,22 +99,52 @@ func checkProxyRole(authInfo credentials.AuthInfo) error {
 	return trace.AccessDenied("proxy system role required")
 }
 
+// getConfigForClient clones and updates the server's tls config with the
+// appropriate client certificate authorities.
 func getConfigForClient(tlsConfig *tls.Config, ap auth.AccessCache, log logrus.FieldLogger) func(*tls.ClientHelloInfo) (*tls.Config, error) {
 	return func(info *tls.ClientHelloInfo) (*tls.Config, error) {
-		clusterName, err := ap.GetClusterName()
-		if err != nil {
-			log.WithError(err).Error("Failed to retrieve cluster name.")
-			return nil, nil
-		}
+		tlsCopy := tlsConfig.Clone()
 
-		pool, _, err := auth.ClientCertPool(ap, clusterName.GetClusterName())
+		pool, err := getCertPool(ap)
 		if err != nil {
 			log.WithError(err).Error("Failed to retrieve client CA pool.")
-			return nil, nil
+			return tlsCopy, nil
 		}
 
-		tlsCopy := tlsConfig.Clone()
+		tlsCopy.ClientAuth = tls.RequireAndVerifyClientCert
 		tlsCopy.ClientCAs = pool
 		return tlsCopy, nil
 	}
 }
+
+// getConfigForServer clones and updates the client's tls config with the
+// appropriate server certificate authorities.
+func getConfigForServer(tlsConfig *tls.Config, ap auth.AccessCache, log logrus.FieldLogger) func() (*tls.Config, error) {
+	return func() (*tls.Config, error) {
+		tlsCopy := tlsConfig.Clone()
+
+		pool, err := getCertPool(ap)
+		if err != nil {
+			log.WithError(err).Error("Failed to retrieve server CA pool.")
+			return tlsCopy, nil
+		}
+
+		tlsCopy.RootCAs = pool
+		return tlsCopy, nil
+	}
+}
+
+// getCertPool returns a new cert pool from cache if any.
+func getCertPool(ap auth.AccessCache) (*x509.CertPool, error) {
+	clusterName, err := ap.GetClusterName()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	pool, _, err := auth.ClientCertPool(ap, clusterName.GetClusterName())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return pool, nil
+}