[v16] Add basic VNet integration to Connect (#42225)

* Expose clusters.Cluster.ReissueAppCert

It will be needed in VNet to issue app certs.

* Make teleterm VNet actually start VNet

* Rename Storage.ReadAll to ListRootClusters

* Replace client.Store in VNet service with calls on daemon.Service

* Adjust copy of search bar app results

* Fix copying app name to clipboard

Author: ravicious

lib/teleterm/apiserver/apiserver.go

@@ -30,7 +30,7 @@ import (
 	vnetapi "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/teleterm/apiserver/handler"
-	vnet "github.com/gravitational/teleport/lib/teleterm/vnet"
+	"github.com/gravitational/teleport/lib/teleterm/vnet"
 	"github.com/gravitational/teleport/lib/utils"
 )
 
@@ -63,7 +63,13 @@ func New(cfg Config) (*APIServer, error) {
 		return nil, trace.Wrap(err)
 	}
 
-	vnetService := &vnet.Service{}
+	vnetService, err := vnet.New(vnet.Config{
+		DaemonService:      cfg.Daemon,
+		InsecureSkipVerify: cfg.InsecureSkipVerify,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
 
 	api.RegisterTerminalServiceServer(grpcServer, serviceHandler)
 	vnetapi.RegisterVnetServiceServer(grpcServer, vnetService)
@@ -84,7 +90,9 @@ func (s *APIServer) Serve() error {
 // Stop stops the server and closes all listeners
 func (s *APIServer) Stop() {
 	s.grpcServer.GracefulStop()
-	s.vnetService.Close()
+	if err := s.vnetService.Close(); err != nil {
+		log.WithError(err).Error("Error while closing VNet service")
+	}
 }
 
 func newListener(hostAddr string, listeningC chan<- utils.NetAddr) (net.Listener, error) {

lib/teleterm/apiserver/config.go

@@ -31,7 +31,8 @@ import (
 // Config is the APIServer configuration
 type Config struct {
 	// HostAddr is the APIServer host address
-	HostAddr string
+	HostAddr           string
+	InsecureSkipVerify bool
 	// Daemon is the terminal daemon service
 	Daemon *daemon.Service
 	// Log is a component logger

lib/teleterm/clusters/cluster_apps.go

@@ -148,8 +148,8 @@ func (c *Cluster) getApp(ctx context.Context, authClient authclient.ClientI, app
 	return app, trace.Wrap(err)
 }
 
-// reissueAppCert issue new certificates for the app and saves them to disk.
-func (c *Cluster) reissueAppCert(ctx context.Context, clusterClient *client.ClusterClient, app types.Application) (tls.Certificate, error) {
+// ReissueAppCert issue new certificates for the app and saves them to disk.
+func (c *Cluster) ReissueAppCert(ctx context.Context, clusterClient *client.ClusterClient, app types.Application) (tls.Certificate, error) {
 	if app.IsAWSConsole() || app.IsGCP() || app.IsAzureCloud() {
 		return tls.Certificate{}, trace.BadParameter("cloud applications are not supported")
 	}

lib/teleterm/clusters/cluster_gateways.go

@@ -165,7 +165,7 @@ func (c *Cluster) createAppGateway(ctx context.Context, params CreateGatewayPara
 	var cert tls.Certificate
 
 	if err := AddMetadataToRetryableError(ctx, func() error {
-		cert, err = c.reissueAppCert(ctx, params.ClusterClient, app)
+		cert, err = c.ReissueAppCert(ctx, params.ClusterClient, app)
 		return trace.Wrap(err)
 	}); err != nil {
 		return nil, trace.Wrap(err)
@@ -230,7 +230,7 @@ func (c *Cluster) ReissueGatewayCerts(ctx context.Context, clusterClient *client
 		}
 
 		// The cert is returned from this function and finally set on LocalProxy by the middleware.
-		cert, err := c.reissueAppCert(ctx, clusterClient, app)
+		cert, err := c.ReissueAppCert(ctx, clusterClient, app)
 		return cert, trace.Wrap(err)
 	default:
 		return tls.Certificate{}, trace.NotImplemented("ReissueGatewayCerts does not support this gateway kind %v", g.TargetURI().String())

lib/teleterm/clusters/storage.go

@@ -39,9 +39,15 @@ func NewStorage(cfg Config) (*Storage, error) {
 	return &Storage{Config: cfg}, nil
 }
 
-// ReadAll reads clusters from profiles
-func (s *Storage) ReadAll() ([]*Cluster, error) {
+// ListProfileNames returns just the names of profiles in s.Dir.
+func (s *Storage) ListProfileNames() ([]string, error) {
 	pfNames, err := profile.ListProfileNames(s.Dir)
+	return pfNames, trace.Wrap(err)
+}
+
+// ListRootClusters reads root clusters from profiles.
+func (s *Storage) ListRootClusters() ([]*Cluster, error) {
+	pfNames, err := s.ListProfileNames()
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/teleterm/daemon/config.go

@@ -38,7 +38,8 @@ import (
 type Storage interface {
 	clusters.Resolver
 
-	ReadAll() ([]*clusters.Cluster, error)
+	ListProfileNames() ([]string, error)
+	ListRootClusters() ([]*clusters.Cluster, error)
 	Add(ctx context.Context, webProxyAddress string) (*clusters.Cluster, *client.TeleportClient, error)
 	Remove(ctx context.Context, profileName string) error
 	GetByResourceURI(resourceURI uri.ResourceURI) (*clusters.Cluster, *client.TeleportClient, error)

lib/teleterm/daemon/daemon.go

@@ -160,14 +160,17 @@ func (s *Service) retryWithRelogin(ctx context.Context, reloginReq *api.ReloginR
 	return trace.Wrap(err)
 }
 
+// ListProfileNames lists profile names from storage. It's a lightweight alternative to
+// ListRootClusters, which also reads all profiles beyond their names and initializes clients.
+func (s *Service) ListProfileNames() ([]string, error) {
+	pfNames, err := s.cfg.Storage.ListProfileNames()
+	return pfNames, trace.Wrap(err)
+}
+
 // ListRootClusters returns a list of root clusters
 func (s *Service) ListRootClusters(ctx context.Context) ([]*clusters.Cluster, error) {
-	clusters, err := s.cfg.Storage.ReadAll()
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	return clusters, nil
+	clusters, err := s.cfg.Storage.ListRootClusters()
+	return clusters, trace.Wrap(err)
 }
 
 // ListLeafClusters returns a list of leaf clusters

lib/teleterm/daemon/daemon_headless.go

@@ -75,7 +75,7 @@ func (s *Service) StartHeadlessWatchers() error {
 	s.headlessWatcherClosersMu.Lock()
 	defer s.headlessWatcherClosersMu.Unlock()
 
-	clusters, err := s.cfg.Storage.ReadAll()
+	clusters, err := s.cfg.Storage.ListRootClusters()
 	if err != nil {
 		return trace.Wrap(err)
 	}

lib/teleterm/teleterm.go

@@ -67,10 +67,11 @@ func Serve(ctx context.Context, cfg Config) error {
 	}
 
 	apiServer, err := apiserver.New(apiserver.Config{
-		HostAddr:        cfg.Addr,
-		Daemon:          daemonService,
-		TshdServerCreds: grpcCredentials.tshd,
-		ListeningC:      cfg.ListeningC,
+		HostAddr:           cfg.Addr,
+		InsecureSkipVerify: cfg.InsecureSkipVerify,
+		Daemon:             daemonService,
+		TshdServerCreds:    grpcCredentials.tshd,
+		ListeningC:         cfg.ListeningC,
 	})
 	if err != nil {
 		return trace.Wrap(err)

lib/teleterm/vnet/service.go

@@ -14,35 +14,226 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-package service
+package vnet
 
 import (
 	"context"
-	"math/rand"
-	"time"
+	"crypto/tls"
+	"errors"
+	"sync"
 
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport"
+	vnetproto "github.com/gravitational/teleport/api/gen/proto/go/teleport/vnet/v1"
+	"github.com/gravitational/teleport/api/types"
 	api "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1"
+	"github.com/gravitational/teleport/lib/client"
+	"github.com/gravitational/teleport/lib/teleterm/api/uri"
+	"github.com/gravitational/teleport/lib/teleterm/daemon"
+	logutils "github.com/gravitational/teleport/lib/utils/log"
+	"github.com/gravitational/teleport/lib/vnet"
+)
+
+var log = logutils.NewPackageLogger(teleport.ComponentKey, "term:vnet")
+
+type status int
+
+const (
+	statusNotRunning status = iota
+	statusRunning
+	statusClosed
 )
 
 // Service implements gRPC service for VNet.
 type Service struct {
 	api.UnimplementedVnetServiceServer
+
+	cfg            Config
+	mu             sync.Mutex
+	status         status
+	processManager *vnet.ProcessManager
+}
+
+// New creates an instance of Service.
+func New(cfg Config) (*Service, error) {
+	if err := cfg.CheckAndSetDefaults(); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return &Service{
+		cfg: cfg,
+	}, nil
+}
+
+type Config struct {
+	DaemonService      *daemon.Service
+	InsecureSkipVerify bool
+}
+
+// CheckAndSetDefaults checks and sets the defaults
+func (c *Config) CheckAndSetDefaults() error {
+	if c.DaemonService == nil {
+		return trace.BadParameter("missing DaemonService")
+	}
+
+	return nil
 }
 
 func (s *Service) Start(ctx context.Context, req *api.StartRequest) (*api.StartResponse, error) {
-	n := rand.Intn(10)
-	randomDelay := time.Duration(n) * 100 * time.Millisecond
-	time.Sleep(randomDelay + 400*time.Millisecond)
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.status == statusClosed {
+		return nil, trace.CompareFailed("VNet service has been closed")
+	}
+
+	if s.status == statusRunning {
+		return &api.StartResponse{}, nil
+	}
+
+	appProvider := &appProvider{
+		daemonService:      s.cfg.DaemonService,
+		insecureSkipVerify: s.cfg.InsecureSkipVerify,
+	}
+
+	processManager, err := vnet.SetupAndRun(ctx, appProvider)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	go func() {
+		err := processManager.Wait()
+		if err != nil && !errors.Is(err, context.Canceled) {
+			log.ErrorContext(ctx, "VNet closed with an error", "error", err)
+		} else {
+			log.DebugContext(ctx, "VNet closed")
+		}
+
+		// TODO(ravicious): Notify the Electron app about change of VNet state, but only if it's
+		// running. If it's not running, then the Start RPC has already failed and forwarded the error
+		// to the user.
+
+		s.mu.Lock()
+		defer s.mu.Unlock()
+
+		if s.status == statusRunning {
+			s.status = statusNotRunning
+		}
+	}()
+
+	s.processManager = processManager
+	s.status = statusRunning
 	return &api.StartResponse{}, nil
 }
 
+// Stop stops VNet and cleans up used resources. Blocks until VNet stops or ctx is canceled.
 func (s *Service) Stop(ctx context.Context, req *api.StopRequest) (*api.StopResponse, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	err := s.stopLocked()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	return &api.StopResponse{}, nil
 }
 
-// Close stops the current VNet instance and prevents new instances from being started.
-//
+func (s *Service) stopLocked() error {
+	if s.status == statusClosed {
+		return trace.CompareFailed("VNet service has been closed")
+	}
+
+	if s.status == statusNotRunning {
+		return nil
+	}
+
+	s.processManager.Close()
+	err := s.processManager.Wait()
+	if err != nil && !errors.Is(err, context.Canceled) {
+		return trace.Wrap(err)
+	}
+
+	s.status = statusNotRunning
+	return nil
+}
+
+// Close stops VNet service and prevents it from being started again. Blocks until VNet stops.
 // Intended for cleanup code when tsh daemon gets terminated.
 func (s *Service) Close() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	err := s.stopLocked()
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	s.status = statusClosed
 	return nil
 }
+
+type appProvider struct {
+	daemonService      *daemon.Service
+	insecureSkipVerify bool
+}
+
+func (p *appProvider) ListProfiles() ([]string, error) {
+	profiles, err := p.daemonService.ListProfileNames()
+	return profiles, trace.Wrap(err)
+}
+
+func (p *appProvider) GetCachedClient(ctx context.Context, profileName, leafClusterName string) (*client.ClusterClient, error) {
+	uri := uri.NewClusterURI(profileName).AppendLeafCluster(leafClusterName)
+	client, err := p.daemonService.GetCachedClient(ctx, uri)
+	return client, trace.Wrap(err)
+}
+
+func (p *appProvider) ReissueAppCert(ctx context.Context, profileName, leafClusterName string, app types.Application) (tls.Certificate, error) {
+	clusterURI := uri.NewClusterURI(profileName).AppendLeafCluster(leafClusterName)
+	cluster, _, err := p.daemonService.ResolveClusterURI(clusterURI)
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+
+	client, err := p.daemonService.GetCachedClient(ctx, clusterURI)
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+
+	// TODO(ravicious): Copy stuff from DaemonService.reissueGatewayCerts in order to handle expired certs.
+	cert, err := cluster.ReissueAppCert(ctx, client, app)
+	return cert, trace.Wrap(err)
+}
+
+// GetDialOptions returns ALPN dial options for the profile.
+func (p *appProvider) GetDialOptions(ctx context.Context, profileName string) (*vnet.DialOptions, error) {
+	cluster, tc, err := p.daemonService.ResolveClusterURI(uri.NewClusterURI(profileName))
+	if err != nil {
+		return nil, trace.Wrap(err, "resolving cluster by URI")
+	}
+
+	dialOpts := &vnet.DialOptions{
+		WebProxyAddr:            cluster.GetProxyHost(),
+		ALPNConnUpgradeRequired: tc.TLSRoutingConnUpgradeRequired,
+		InsecureSkipVerify:      p.insecureSkipVerify,
+	}
+	if dialOpts.ALPNConnUpgradeRequired {
+		dialOpts.RootClusterCACertPool, err = tc.RootClusterCACertPool(ctx)
+		if err != nil {
+			return nil, trace.Wrap(err, "loading root cluster CA cert pool")
+		}
+	}
+	return dialOpts, nil
+}
+
+func (p *appProvider) GetVnetConfig(ctx context.Context, profileName, leafClusterName string) (*vnetproto.VnetConfig, error) {
+	clusterClient, err := p.GetCachedClient(ctx, profileName, leafClusterName)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	vnetConfigClient := clusterClient.AuthClient.VnetConfigServiceClient()
+	vnetConfig, err := vnetConfigClient.GetVnetConfig(ctx, &vnetproto.GetVnetConfigRequest{})
+	return vnetConfig, trace.Wrap(err)
+}