Teleport 12 Web Test Plan

Web UI

Main @hatched

For main, test with a role that has access to all resources.

[x] Interact with a cluster using the Web UI
- [x] Connect to a Teleport node
- [x] Connect to a OpenSSH node
- [x] Check agent forwarding is correct based on role and proxy mode.

Top Nav @hatched

[x] Verify that cluster selector displays all (root + leaf) clusters
[x] Verify that user name is displayed
[x] Verify that user menu shows logout, help&support, and account settings (for local users)

Side Nav @hatched

[x] Verify that each item has an icon
[x] Verify that Collapse/Expand works and collapsed has icon >, and expand has icon v
[x] Verify that it automatically expands and highlights the item on page refresh

Servers aka Nodes @hatched

[x] Verify that "Servers" table shows all joined nodes
[x] Verify that "Connect" button shows a list of available logins
[x] Verify that "Hostname", "Address" and "Labels" columns show the current values
[x] Verify that "Search" by hostname, address, labels works
[x] Verify that terminal opens when clicking on one of the available logins
[ ] ~~Verify that clicking on Add Server button renders dialogue set to Automatically view~~ Add Server now uses Discover workflow.
- [ ] Verify clicking on Regenerate Script regenerates token value in the bash command
- [ ] Verify using the bash command successfully adds the server (refresh server list)
- [ ] Verify that clicking on Manually tab renders manual steps
- [ ] Verify that clicking back to Automatically tab renders bash command

Applications @rudream

[x] Verify that clicking on Add Application button renders dialogue
- [x] Verify input validation (prevent empty value and invalid url)
- [x] Verify after input and clicking on Generate Script, bash command is rendered
- [x] Verify clicking on Regenerate button regenerates token value in bash command

Databases @rudream

[ ] Verify that clicking on Add Database button renders dialogue for manual instructions:
- [ ] Verify selecting different options on Step 4 changes Step 5 commands
  Active Sessions
[x] Verify that "empty" state is handled
[x] Verify that it displays the session when session is active
[x] Verify that "Description", "Session ID", "Users", "Nodes" and "Duration" columns show correct values
[x] Verify that "OPTIONS" button allows to join a session

Audit log @rudream

[x] Verify that time range button is shown and works
[x] Verify that clicking on Session Ended event icon, takes user to session player
[x] Verify event detail dialogue renders when clicking on events details button
[x] Verify searching by type, description, created works

Users @rudream

[x] Verify that users are shown
[x] Verify that creating a new user works
[x] Verify that editing user roles works
[x] Verify that removing a user works
[x] Verify resetting a user's password works
[x] Verify search by username, roles, and type works

Auth Connectors @kimlisa

For help with setting up auth connectors, check out the [Quick GitHub/SAML/OIDC Setup Tips]

[x] Verify when there are no connectors, empty state renders
[x] Verify that creating OIDC/SAML/GITHUB connectors works
[x] Verify that editing OIDC/SAML/GITHUB connectors works
[x] Verify that error is shown when saving an invalid YAML
[x] Verify that correct hint text is shown on the right side
[ ] Verify that encrypted SAML assertions work with an identity provider that supports it (Azure).
[x] Verify that created GitHub, saml, oidc card has their icons
Roles @kimlisa
[x] Verify that roles are shown
[x] Verify that "Create New Role" dialog works
[x] Verify that deleting and editing works
[x] Verify that error is shown when saving an invalid YAML
[x] Verify that correct hint text is shown on the right side

Managed Clusters @kimlisa

[x] Verify that it displays a list of clusters (root + leaf)
[x] Verify that every menu item works: nodes, apps, audit events, session recordings, etc.

Help & Support @kimlisa

[x] Verify that all URLs work and correct (no 404)

Access Requests @avatus

Access Request is a Enterprise feature and is not available for OSS.

Creating Access Requests (Role Based)

Create a role with limited permissions allow-roles-and-nodes. This role allows you to see the Role screen and ssh into all nodes.

kind: role
metadata:
  name: allow-roles-and-nodes
spec:
  allow:
    logins:
    - root
    node_labels:
      '*': '*'
    rules:
    - resources:
      - role
      verbs:
      - list
      - read
  options:
    max_session_ttl: 8h0m0s
version: v5

Create another role with limited permissions allow-users-with-short-ttl. This role session expires in 4 minutes, allows you to see Users screen, and denies access to all nodes.

kind: role
metadata:
  name: allow-users-with-short-ttl
spec:
  allow:
    rules:
    - resources:
      - user
      verbs:
      - list
      - read
  deny:
    node_labels:
      '*': '*'
  options:
    max_session_ttl: 4m0s
version: v5

Create a user that has no access to anything but allows you to request roles:

kind: role
metadata:
  name: test-role-based-requests
spec:
  allow:
    request:
      roles:
      - allow-roles-and-nodes
      - allow-users-with-short-ttl
      suggested_reviewers:
      - random-user-1
      - random-user-2
version: v5

[x] Verify that under requestable roles, only allow-roles-and-nodes and allow-users-with-short-ttl are listed
[x] Verify you can select/input/modify reviewers
[x] Verify you can view the request you created from request list (should be in pending states)
[x] Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
[x] Verify you can't review own requests

Creating Access Requests (Search Based) @avatus

Create a role with access to searcheable resources (apps, db, kubes, nodes, desktops). The template searcheable-resources is below.

kind: role
metadata:
  name: searcheable-resources
spec:
  allow:
    app_labels:  # just example labels
      label1-key: label1-value
      env: [dev, staging] 
    db_labels:
      '*': '*'   # asteriks gives user access to everything
    kubernetes_labels:
      '*': '*' 
    node_labels:
      '*': '*'
    windows_desktop_labels:
      '*': '*'
version: v5

Create a user that has no access to resources, but allows you to search them:

kind: role
metadata:
  name: test-search-based-requests
spec:
  allow:
    request:
      search_as_roles:
      - searcheable resources
      suggested_reviewers:
      - random-user-1
      - random-user-2
version: v5

[x] Verify that a user can see resources based on the searcheable-resources rules
[x] Verify you can select/input/modify reviewers
[x] Verify you can view the request you created from request list (should be in pending states)
[x] Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
[x] Verify you can't review own requests
[x] Verify that you can't mix adding resources from different clusters (there should be a warning dialogue that clears the selected list)

Viewing & Approving/Denying Requests @avatus

Create a user with the role reviewer that allows you to review all requests, and delete them.

kind: role
version: v3
metadata:
  name: reviewer
spec:
  allow:
    review_requests:
      roles: ['*']

[x] Verify you can view access request from request list
[x] Verify you can approve a request with message, and immediately see updated state with your review stamp (green checkmark) and message box
[x] Verify you can deny a request, and immediately see updated state with your review stamp (red cross)
[x] Verify deleting the denied request is removed from list

Assuming Approved Requests (Role Based) @avatus

[x] Verify that assuming allow-roles-and-nodes allows you to see roles screen and ssh into nodes
[x] After assuming allow-roles-and-nodes, verify that assuming allow-users-short-ttl allows you to see users screen, and denies access to nodes
- [x] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
- [x] Verify switching back goes back to your default static role
- [x] Verify after re-assuming allow-users-short-ttl role, the user is automatically logged out after the expiry is met (4 minutes)

Assuming Approved Requests (Search Based) @avatus

[x] Verify that assuming approved request, allows you to see the resources you've requested.
Assuming Approved Requests (Both)
[x] Verify assume buttons are only present for approved request and for logged in user
[x] Verify that after clicking on the assume button, it is disabled in both the list and in viewing
[x] Verify that after re-login, requests that are not expired and are approved are assumable again

Access Request Waiting Room @ryanclark

Strategy Reason

Create the following role:

kind: role
metadata:
  name: waiting-room
spec:
  allow:
    request:
      roles:
      - <some other role to assign user after approval>
  options:
    max_session_ttl: 8h0m0s
    request_access: reason
    request_prompt: <some custom prompt to show in reason dialogue>
version: v3

[x] Verify after login, reason dialogue is rendered with prompt set to request_prompt setting
[x] Verify after clicking send request, pending dialogue renders
[x] Verify after approving a request, dashboard is rendered
[x] Verify the correct role was assigned

Strategy Always

With the previous role you created from Strategy Reason, change request_access to always:

[x] Verify after login, pending dialogue is auto rendered
[x] Verify after approving a request, dashboard is rendered
[x] Verify after denying a request, access denied dialogue is rendered
[x] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
[x] Verify switchback button says Logout and clicking goes back to the login screen

Strategy Optional

With the previous role you created from Strategy Reason, change request_access to optional:

[x] Verify after login, dashboard is rendered as normal

Terminal @hatched

[x] Verify that top nav has a user menu (Main and Logout)
[x] Verify that switching between tabs works with ctrl+[1...9] (alt on linux/windows)

Node List Tab

[ ] Verify that Cluster selector works (URL should change too)
[x] Verify that Quick launcher input works
[x] Verify that Quick launcher input handles input errors
[x] Verify that "Connect" button shows a list of available logins
[x] Verify that "Hostname", "Address" and "Labels" columns show the current values
[x] Verify that "Search" by hostname, address, labels work
[x] Verify that new tab is created when starting a session

Session Tab

[x] Verify that session and browser tabs both show the title with login and node name
[x] Verify that terminal resize works
- Install midnight commander on the node you ssh into: $ sudo apt-get install mc
- Run the program: $ mc
- Resize the terminal to see if panels resize with it
[x] Verify that session tab shows/updates number of participants when a new user joins the session
[x] Verify that tab automatically closes on "$ exit" command
[x] Verify that SCP Upload works
[x] Verify that SCP Upload handles invalid paths and network errors
[x] Verify that SCP Download works
[x] Verify that SCP Download handles invalid paths and network errors

Session Player @hatched

[x] Verify that it can replay a session
[x] Verify that when playing, scroller auto scrolls to bottom most content
[x] Verify when resizing player to a small screen, scroller appears and is working
[x] Verify that error message is displayed (enter an invalid SID in the URL)

Invite and Reset Form @hatched

[x] Verify that input validates
[x] Verify that invite works with 2FA disabled
[x] Verify that invite works with OTP enabled
[x] Verify that invite works with U2F enabled
[x] Verify that invite works with WebAuthn enabled
[x] Verify that error message is shown if an invite is expired/invalid

Login Form and Change Password @rudream

[x] Verify that input validates
[x] Verify that login works with 2FA disabled
[x] Verify that changing passwords works for 2FA disabled
[x] Verify that login works with OTP enabled
[x] Verify that changing passwords works for OTP enabled
[x] Verify that login works with U2F enabled
[x] Verify that changing passwords works for U2F enabled
[x] Verify that login works with WebAuthn enabled
[x] Verify that changing passwords works for WebAuthn enabled
[x] Verify that login works for Github/SAML/OIDC
[x] Verify that redirect to original URL works after successful login
[x] Verify that account is locked after several unsuccessful login attempts
[ ] Verify that account is locked after several unsuccessful change password attempts

Multi-factor Authentication (mfa) @rudream

Create/modify teleport.yaml and set the following authentication settings under auth_service

authentication:
  type: local
  second_factor: optional
  require_session_mfa: yes
  webauthn:
    rp_id: example.com

MFA invite, login, password reset, change password

[x] Verify during invite/reset, second factor list all auth types: none, hardware key, and authenticator app
[x] Verify registration works with all option types
[x] Verify login with all option types
[x] Verify changing password with all option types
[x] Change second_factor type to on and verify that mfa is required (no option none in dropdown)

MFA require auth

Go to Account Settings > Two-Factor Devices and register a new device

Using the same user as above:

[x] Verify logging in with registered WebAuthn key works
[x] Verify connecting to a ssh node prompts you to tap your registered WebAuthn key
[ ] Verify in the web terminal, you can scp upload/download files

MFA Management

[x] Verify adding first device works without requiring re-authentication
[x] Verify re-authenticating with a WebAuthn device works
[x] Verify re-authenticating with a U2F device works
[x] Verify re-authenticating with a OTP device works
[x] Verify adding a WebAuthn device works
[x] Verify adding a U2F device works
[x] Verify adding an OTP device works
[x] Verify removing a device works
[x] Verify second_factor set to off disables adding devices

Passwordless

[x] Pure passwordless registrations and resets are possible
[x] Verify adding a passwordless device (WebAuthn)
[x] Verify passwordless logins

Cloud @rudream

From your cloud staging account, change the field teleportVersion to the test version.

$ kubectl -n <namespace> edit tenant

Recovery Code Management

[x] Verify generating recovery codes for local accounts with email usernames works
[x] Verify local accounts with non-email usernames are not able to generate recovery codes
[x] Verify SSO accounts are not able to generate recovery codes

Invite/Reset

[x] Verify email as usernames, renders recovery codes dialog
[x] Verify non email usernames, does not render recovery codes dialog

Recovery Flow: Add new mfa device

[x] Verify recovering (adding) a new hardware key device with password
[x] Verify recovering (adding) a new otp device with password
[x] Verify viewing and deleting any old device (but not the one just added)
[x] Verify new recovery codes are rendered at the end of flow

Recovery Flow: Change password

[x] Verify recovering password with any mfa device
[x] Verify new recovery codes are rendered at the end of flow

Recovery Email

[x] Verify receiving email for link to start recovery
[x] Verify receiving email for successfully recovering
[x] Verify email link is invalid after successful recovery
[x] Verify receiving email for locked account when max attempts reached

RBAC @kimlisa

Create a role, with no allow.rules defined:

kind: role
metadata:
  name: rbac
spec:
  allow:
    app_labels:
      '*': '*'
    logins:
    - root
    node_labels:
      '*': '*'
  options:
    max_session_ttl: 8h0m0s
version: v3

[x] Verify that a user has access only to: "Servers", "Applications", "Databases", "Kubernetes", "Active Sessions", "Access Requests"
[x] Verify there is no Add Server, Application, Databases, Kubernetes button in each respective view

Note: User has read/create access_request access to their own requests, despite resource settings

Add the following under spec.allow.rules to enable read access to the audit log:

  - resources:
      - event
      verbs:
      - list

[x] Verify that the Audit Log is accessible
[x] Verify that playing a recorded session is denied

Add the following to enable read access to recorded sessions

  - resources:
      - session
      verbs:
      - read
      - list

[x] Verify that a user can re-play a session (session.end)
[x] Verify that Session Recordings is accessible

Add the following to enable read access to the roles

- resources:
      - role
      verbs:
      - list
      - read

[x] Verify that a user can see the roles
[x] Verify that a user cannot create/delete/update a role

Add the following to enable read access to the auth connectors

- resources:
      - auth_connector
      verbs:
      - list
      - read

[x] Verify that a user can see the list of auth connectors.
[x] Verify that a user cannot create/delete/update the connectors

Add the following to enable read access to users

  - resources:
      - user
      verbs:
      - list
      - read

[x] Verify that a user can access the "Users" screen
[x] Verify that a user cannot reset password and create/delete/update a user

Add the following to enable read access to trusted clusters

  - resources:
      - trusted_cluster
      verbs:
      - list
      - read

[x] Verify that a user can access the "Trust" screen
[x] Verify that a user cannot create/delete/update a trusted cluster.
[x] Verify only Servers, Apps, Databases, and Kubernetes are listed under options button in Manage Clusters

Teleport Connect @ravicious @gzdunek

Auth methods @ravicious
- Verify that the app supports clusters using different auth settings (auth_service.authentication in the cluster config):
  - [x] type: local, second_factor: "off"
  - [x] type: local, second_factor: "otp"
  - [x] type: local, second_factor: "webauthn",
  - [x] type: local, second_factor: "webauthn", log in passwordlessly with hardware key
  - [x] type: local, second_factor: "webauthn", log in passwordlessly with touch ID
  - [x] type: local, second_factor: "optional", log in without MFA
  - [x] type: local, second_factor: "optional", log in with OTP
  - [x] type: local, second_factor: "optional", log in with hardware key
  - [x] type: local, second_factor: "on", log in with OTP
  - [x] type: local, second_factor: "on", log in with hardware key
  - [x] type: local, second_factor: "on", log in with passwordless auth
  - [x] Verify that the passwordless credential picker works.
    - To make the picker show up, you need to add the same MFA device with passwordless capabilities to multiple users.
  - Authentication connectors:
    - For those you might want to use clusters that are deployed on the web, specified in parens. Or set up the connectors on a local enterprise cluster following the guide from our wiki.
    - [x] GitHub (asteroid)
    - [x] local login on a GitHub-enabled cluster
    - [x] SAML (platform cluster)
    - [x] OIDC (e-demo)
Shell @gzdunek
- [x] Verify that the shell is pinned to the correct cluster (for root clusters and leaf clusters).
  - That is, opening new shell sessions in other workspaces or other clusters within the same workspace should have no impact on the original shell session.
- [x] Verify that the local shell is opened with correct env vars.
  - TELEPORT_PROXY and TELEPORT_CLUSTER should pin the session to the correct cluster.
  - TELEPORT_HOME should point to ~/Library/Application Support/Teleport Connect/tsh.
  - PATH should include /Applications/Teleport Connect.app/Contents/Resources/bin.
- [x] Verify that the working directory in the tab title is updated when you change the directory (only for local terminals).
- [x] Verify that terminal resize works for both local and remote shells.
  - Install midnight commander on the node you ssh into: $ sudo apt-get install mc
  - Run the program: $ mc
  - Resize Teleport Connect to see if the panels resize with it
- [x] Verify that the tab automatically closes on $ exit command.
- [x] Execute tsh ssh nonexistent-node in the command bar. Verify that you see a new tab with an error from tsh ssh.
Kubernetes access @ravicious
- [x] Open a new kubernetes tab, run echo $KUBECONFIG and check if it points to the file within Connect's app data directory.
- [x] Close the tab and open it again (to the same resource). Verify if the kubeconfig path didn't change.
- [x] Run kubectl get pods and see if the command succeeds.
- Verify if the kubeconfig file is removed when the user:
  - [x] Removes the connection
  - [x] Logs out of the cluster
State restoration from disk @gzdunek
- [x] Verify that the app asks about restoring previous tabs when launched and restores them properly.
- [x] Verify that the app opens with the cluster that was active when you closed the app.
- [x] Verify that the app remembers size & position after restart.
- [x] Verify that reopening a cluster that has no workspace assigned works.
- [x] Verify that reopening the app after removing ~/Library/Application Support/Teleport Connect/tsh doesn't crash the app.
- [x] Verify that reopening the app after removing ~/Library/Application Support/Teleport Connect/app_state.json but not the tsh dir doesn't crash the app.
- [x] Verify that logging out of a cluster and then logging in to the same cluster doesn't remember previous tabs (they should be cleared on logout).
- [x] Open a db connection tab. Change the db name and port. Close the tab. Restart the app. Open connection tracker and choose said db connection from it. Verify that the newly opened tab uses the same db name and port.
- [x] Log in to a cluster. Close the DocumentCluster tab. Open a new DocumentCluster tab. Restart the app. Verify that the app doesn't ask you about restoring previous tabs.
Connections picker @ravicious
- [x] Verify that the connections picker shows new connections when ssh & db tabs are opened.
- [x] Check if those connections are available after the app restart.
- [x] Check that those connections are removed after you log out of the root cluster that they belong to.
- [x] Verify that reopening a db connection from the connections picker remembers last used port.
Cluster resources (servers, databases, k8s) @gzdunek
- [x] Verify that the app shows the same resources as the Web UI.
- [x] Verify that search is working for the resources lists.
- [x] Verify that pagination is working for the resources lists.
- [x] Verify that pagination works in tandem with search, that is verify that search results are paginated too.
- [x] Verify that you can connect to these resources.
- [x] Verify that clicking "Connect" shows available logins and db usernames.
  - Logins and db usernames are taken from the role, under spec.allow.logins and spec.allow.db_users.
- [x] Repeat the above steps for resources in leaf clusters.
Tabs @ravicious
- [x] Verify that tabs have correct titles set.
- [x] Verify that changing tab position works.
Shortcuts @gzdunek
- [x] Verify that switching between tabs works on Cmd+[1...9].
- [x] Verify that other shortcuts are shown after you close all tabs.
- [x] Verify that the other shortcuts work and each of them is shown on hover on relevant UI elements.
Workspaces & cluster management @ravicious
- [x] Verify that logging in to a new cluster adds it to the identity switcher and switches to the workspace of that cluster automatically.
- [x] Verify that the state of the current workspace is preserved when you change the workspace (by switching to another cluster) and return to the previous workspace.
- [x] Click "Add another cluster", provide an address to a cluster that was already added. Verify that Connect simply changes the workspace to that of that cluster.
- [x] Click "Add another cluster", provide an address to a new cluster and submit the form. Close the modal when asked for credentials. Verify that the cluster was still added and is visible in the profile selector.
Command bar & autocomplete @gzdunek
- Do the steps for the root cluster, then switch to a leaf cluster and repeat them.
- [x] Verify that the autocomplete for tsh ssh filters SSH logins and autocompletes them.
- [x] Verify that the autocomplete for tsh ssh filters SSH hosts by name and label and autocompletes them.
- [x] Verify that launching an invalid tsh ssh command shows the error in a new tab.
- [x] Verify that launching a valid tsh ssh command opens a new tab with the session opened.
- [x] Verify that the autocomplete for tsh proxy db filters databases by name and label and autocompletes them.
- [x] Verify that launching a tsh proxy db command opens a new local shell with the command running.
- [x] Verify that the autocomplete for tsh ssh doesn't break when you cut/paste commands in various points.
- [x] Verify that manually typing out what the autocomplete would suggest doesn't break the command bar.
- [x] Verify that launching any other command that's not supported by the autocomplete opens a new local shell with that command running.
Resilience when resources become unavailable @ravicious
- DocumentCluster
  - For each scenario, create at least one DocumentCluster tab for each available resource kind.
  - For each scenario, first do the action described in the bullet point, then refetch list of resources by entering the search field and pressing enter. Verify that no unrecoverable error was raised (that is, the app still works). Then restart the app and verify that it was restarted gracefully (no unrecoverable error on restart, the user can continue using the app).
    - [x] Stop the root cluster.
    - [x] Stop a leaf cluster.
    - [x] Disconnect your device from the internet.
- DocumentGateway
  - [x] Verify that you can't open more than one tab for the same db server + username pair. Trying to open a second tab with the same pair should just switch you to the already existing tab.
  - [x] Create a db connection tab for a given database. Then remove access to that db for that user. Go back to Connect and change the database name and port. Both actions should not return an error.
  - [x] Open DocumentCluster and make sure a given db is visible on the list of available dbs. Click "Connect" to show a list of db users. Now remove access to that db. Go back to Connect and choose a username. Verify that a recoverable error is shown and the user can continue using the app.
  - [x] Create a db connection, close the app, run tsh proxy db with the same port, start the app. Verify that the app doesn't crash and the db connection tab shows you the error (address in use) and offers a way to retry creating the connection.
File transfer @ravicious
- Download
  - [x] Verify if Connect asks for a path when downloading the file.
  - [x] Verify that invalid paths and network errors are handled.
  - [x] Verify if cancelling the download works.
- Upload
  - [x] Verify if uploading single/multiple files works.
  - [x] Verify that invalid paths and network errors are handled.
  - [x] Verify if cancelling the upload works.
Refreshing certs @gzdunek
- To test scenarios from this section, create a user with a role that has TTL of 1m (spec.options.max_session_ttl).
- Log in, create a db connection and run the CLI command; wait for the cert to expire, make another connection to the local db proxy.
  - [x] Verify that the window received focus and a modal login is shown.
  - Verify that after successfully logging in:
    - [x] The cluster info is synced.
    - [x] The first connection wasn't dropped; try executing select now();, the client should be able to automatically reinstantiate the connection.
    - [x] The database proxy is able to handle new connections; click "Run" in the db tab and see if it connects without problems. You might need to resync the cluster again in case they managed to expire.
  - [x] Verify that closing the login modal without logging in shows an appropriate error.
- Log in, create a db connection, then remove access to that db server for that user; wait for the cert to expire, then attempt to make a connection through the proxy; log in.
  - [x] Verify that the db tab shows an appropriate error.
- Log in, open a cluster tab, wait for the cert to expire. Switch from a servers view to databases view.
  - [x] Verify that a login modal was shown.
  - [x] Verify that after logging in, the database list is shown.
Access Requests @avatus
[x] Verify the access request popout menu isn't visible on a non-enterprise cluster
- Creating Access Requests (Role Based)
  - To setup a test environment, follow the steps laid out in Created Access Requests (Role Based) from the Web UI testplan and then verify the tasks below.
  - [x] Verify that under requestable roles, only allow-roles-and-nodes and allow-users-with-short-ttl are listed
  - [x] Verify you can select/input/modify reviewers
  - [x] Verify you can view the request you created from request list (should be in a pending state)
  - [x] Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
  - [x] Verify you can't review own requests
- Creating Access Requests (Search Based)
  - To setup a test environment, follow the steps laid out in Created Access Requests (Search Based) from the Web UI testplan and then verify the tasks below.
  - [x] Verify that a user can see resources based on the searcheable-resources rules
  - [x] Verify you can select/input/modify reviewers
  - [x] Verify you can view the request you created from request list (should be in a pending state)
  - [x] Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
  - [x] Verify you can't review own requests
  - [x] Verify that you can't mix adding resources from different clusters (there should be a warning dialogue that clears the selected list)
  - [x] Verify that you can't mix roles and resources into the same request.
- Viewing & Approving/Denying Requests
  - To setup a test environment, follow the steps laid out in Viewing & Approving/Denying Requests from the Web UI testplan and then verify the tasks below.
  - [x] Verify you can view access request from request list
  - [x] Verify you can approve a request with message, and immediately see updated state with your review stamp (green checkmark) and message box
  - [x] Verify you can deny a request, and immediately see updated state with your review stamp (red cross)
  - [x] Verify deleting the denied request is removed from list
- Assuming Approved Requests (Role Based)
  - [x] Verify that assuming allow-roles-and-nodes allows you to see roles screen and ssh into nodes
  - [x] After assuming allow-roles-and-nodes, verify that assuming allow-users-short-ttl allows you to see users screen, and denies access to nodes
  - [x] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
  - [x] Verify switching back goes back to your default static role
  - [x] Verify after re-assuming allow-users-short-ttl role, the user is automatically logged out after the expiry is met (4 minutes)
- Assuming Approved Requests (Search Based)
  - [x] Verify that assuming approved request, allows you to see the resources you've requested.
- Assuming Approved Requests (Both)
  - [x] Verify assume buttons are only present for approved request and for logged in user
  - [x] Verify that after clicking on the assume button, it is disabled in both the list and in viewing
  - [x] Verify that after re-login, requests that are not expired and are approved are assumable again
[x] Verify that logs are collected for all processes (main, renderer, shared, tshd) under ~/Library/Application\ Support/Teleport\ Connect/logs. @gzdunek
[x] Verify that the password from the login form is not saved in the renderer log. @gzdunek
[x] Log in to a cluster, then log out and log in again as a different user. Verify that the app works properly after that. @ravicious
[x] Start the most recent version of the previous major version of Connect. Open all available documents. Close the app and upgrade it to the next version. Verify that the app boots and restores the state properly. @ravicious

gravitational / teleport