Address CRS

lib/auth/trustedcluster.go

@@ -679,7 +679,9 @@ func (a *Server) sendValidateRequestToProxy(ctx context.Context, host string, va
 		opts = append(opts, roundtrip.HTTPClient(insecureWebClient))
 	}
 
-	clt, err := roundtrip.NewClient(proxyAddr.String(), "", opts...)
+	// We do not add the version prefix since web api endpoints will
+	// contain differing version prefixes.
+	clt, err := roundtrip.NewClient(proxyAddr.String(), "" /* version prefix */, opts...)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/client/https_client.go

@@ -61,6 +61,8 @@ func httpTransport(insecure bool, pool *x509.CertPool) *http.Transport {
 
 func NewWebClient(url string, opts ...roundtrip.ClientParam) (*WebClient, error) {
 	opts = append(opts, roundtrip.SanitizerEnabled(true))
+	// We do not add the version prefix since web api endpoints will contain
+	// differing version prefixes.
 	clt, err := roundtrip.NewClient(url, "" /* version prefix */, opts...)
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/httplib/httplib.go

@@ -212,9 +212,9 @@ func ConvertResponse(re *roundtrip.Response, err error) (*roundtrip.Response, er
 	return re, trace.ReadError(re.Code(), re.Bytes())
 }
 
-// Version describes the parts of a semver version
-// in the format: major.minor.patch-preRelease
-type Version struct {
+// ProxyVersion describes the parts of a Proxy semver
+// version in the format: major.minor.patch-preRelease
+type ProxyVersion struct {
 	// Major is the first part of version.
 	Major int64 `json:"major"`
 	// Minor is the second part of version.
@@ -229,22 +229,24 @@ type Version struct {
 	String string `json:"string"`
 }
 
-// ReplyRouteNotFoundJSONWithVersionField writes a JSON error reply containing
+// RouteNotFoundResponse writes a JSON error reply containing
 // a not found error, a Version object, and a not found HTTP status code.
-func ReplyRouteNotFoundJSONWithVersionField(w http.ResponseWriter, versionStr string) {
+func RouteNotFoundResponse(w http.ResponseWriter, proxyVersion string) {
 	SetDefaultSecurityHeaders(w.Header())
 
 	errObj := &trace.TraceErr{
 		Err: trace.NotFound("path not found"),
 	}
 
-	ver, err := semver.NewVersion(versionStr)
-	if err == nil {
-		verObj := Version{
+	ver, err := semver.NewVersion(proxyVersion)
+	if err != nil {
+		slog.Debug("Error parsing Teleport proxy semver version", "err", err)
+	} else {
+		verObj := ProxyVersion{
 			Major:      ver.Major,
 			Minor:      ver.Minor,
 			Patch:      ver.Patch,
-			String:     versionStr,
+			String:     proxyVersion,
 			PreRelease: string(ver.PreRelease),
 		}
 		fields := make(map[string]interface{})

lib/web/apiserver.go

@@ -34,7 +34,6 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"regexp"
 	"slices"
 	"strconv"
 	"strings"
@@ -109,9 +108,6 @@ import (
 	"github.com/gravitational/teleport/lib/web/ui"
 )
 
-// apiPrefixRegex matches pathnames starting with /v<version num>/<any characters>
-var apiPrefixRegex = regexp.MustCompile(`^/v(\d+)/(.+)`)
-
 const (
 	// SSOLoginFailureMessage is a generic error message to avoid disclosing sensitive SSO failure messages.
 	SSOLoginFailureMessage = "Failed to login. Please check Teleport's log for more details."
@@ -614,7 +610,7 @@ func NewHandler(cfg Config, opts ...HandlerOption) (*APIHandler, error) {
 		h.nodeWatcher = cfg.NodeWatcher
 	}
 
-	v1Prefix := "/v1"
+	const v1Prefix = "/v1"
 	notFoundRoutingHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Request is going to the API?
 		// If no routes were matched, it could be because it's a path with `v1` prefix
@@ -638,7 +634,7 @@ func NewHandler(cfg Config, opts ...HandlerOption) (*APIHandler, error) {
 					return
 				}
 			}
-			httplib.ReplyRouteNotFoundJSONWithVersionField(w, teleport.Version)
+			httplib.RouteNotFoundResponse(w, teleport.Version)
 			return
 		}
 
@@ -690,7 +686,7 @@ func NewHandler(cfg Config, opts ...HandlerOption) (*APIHandler, error) {
 				h.logger.ErrorContext(r.Context(), "Failed to execute index page template", "error", err)
 			}
 		} else {
-			httplib.ReplyRouteNotFoundJSONWithVersionField(w, teleport.Version)
+			httplib.RouteNotFoundResponse(w, teleport.Version)
 			return
 		}
 	})
@@ -892,6 +888,7 @@ func (h *Handler) bindDefaultEndpoints() {
 	// MUST delete with related code found in web/packages/teleport/src/services/joinToken/joinToken.ts(fetchJoinToken)
 	h.POST("/webapi/token", h.WithAuth(h.createTokenForDiscoveryHandle))
 	// used for creating tokens used during guided discover flows
+	// v2 endpoint processes "suggestedLabels" field
 	h.POST("/v2/webapi/token", h.WithAuth(h.createTokenForDiscoveryHandle))
 	h.GET("/webapi/tokens", h.WithAuth(h.getTokens))
 	h.DELETE("/webapi/tokens", h.WithAuth(h.deleteToken))
@@ -1027,6 +1024,7 @@ func (h *Handler) bindDefaultEndpoints() {
 	// TODO(kimlisa): DELETE IN 19.0 - replaced by /v2/webapi/sites/:site/integrations/aws-oidc/:name/enrolleksclusters
 	// MUST delete with related code found in web/packages/teleport/src/services/integrations/integrations.ts(enrollEksClusters)
 	h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/enrolleksclusters", h.WithClusterAuth(h.awsOIDCEnrollEKSClusters))
+	// v2 endpoint introduces "extraLabels" field.
 	h.POST("/v2/webapi/sites/:site/integrations/aws-oidc/:name/enrolleksclusters", h.WithClusterAuth(h.awsOIDCEnrollEKSClusters))
 	h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/ec2ice", h.WithClusterAuth(h.awsOIDCListEC2ICE))
 	h.POST("/webapi/sites/:site/integrations/aws-oidc/:name/deployec2ice", h.WithClusterAuth(h.awsOIDCDeployEC2ICE))

lib/web/apiserver_test.go

@@ -3519,7 +3519,7 @@ func TestEndpointNotFoundHandling(t *testing.T) {
 				require.NoError(t, json.Unmarshal(*rawObjMap["error"], &errMsg))
 				require.Equal(t, "path not found", errMsg.Message)
 
-				fields := struct{ ProxyVersion httplib.Version }{}
+				fields := struct{ ProxyVersion httplib.ProxyVersion }{}
 				require.NoError(t, json.Unmarshal(*rawObjMap["fields"], &fields))
 				require.Equal(t, teleport.Version, fields.ProxyVersion.String)
 
@@ -3531,14 +3531,14 @@ func TestEndpointNotFoundHandling(t *testing.T) {
 				require.Equal(t, string(ver.PreRelease), fields.ProxyVersion.PreRelease)
 
 				return
-			}
-
-			require.NoError(t, err)
+			} else {
+				require.NoError(t, err)
 
-			var responseToken nodeJoinToken
-			err = json.Unmarshal(re.Bytes(), &responseToken)
-			require.NoError(t, err)
-			require.Equal(t, types.JoinMethodToken, responseToken.Method)
+				var responseToken nodeJoinToken
+				err = json.Unmarshal(re.Bytes(), &responseToken)
+				require.NoError(t, err)
+				require.Equal(t, types.JoinMethodToken, responseToken.Method)
+			}
 		})
 	}
 }

lib/web/integrations_awsoidc.go

@@ -743,6 +743,7 @@ func (h *Handler) awsOIDCConfigureEKSIAM(w http.ResponseWriter, r *http.Request,
 }
 
 // awsOIDCEnrollEKSClusters enroll EKS clusters by installing teleport-kube-agent Helm chart on them.
+// v2 endpoint introduces "extraLabels" field.
 func (h *Handler) awsOIDCEnrollEKSClusters(w http.ResponseWriter, r *http.Request, p httprouter.Params, sctx *SessionContext, site reversetunnelclient.RemoteSite) (any, error) {
 	ctx := r.Context()
 

lib/web/join_tokens.go

@@ -254,6 +254,8 @@ func (h *Handler) upsertTokenHandle(w http.ResponseWriter, r *http.Request, para
 	return uiToken, nil
 }
 
+// createTokenForDiscoveryHandle creates tokens used during guided discover flows.
+// V2 endpoint processes "suggestedLabels" field.
 func (h *Handler) createTokenForDiscoveryHandle(w http.ResponseWriter, r *http.Request, params httprouter.Params, ctx *SessionContext) (interface{}, error) {
 	clt, err := ctx.GetClient()
 	if err != nil {