Teleport 15 Web Test Plan

[r0mant]

Web UI

Main

For main, test with a role that has access to all resources.

• [ ] Interact with a cluster using the Web UI
  • [x] Connect to a Teleport node
  • [ ] Connect to a OpenSSH node
  • [x] Check agent forwarding is correct based on role and proxy mode.
    • Set forward_agent: true under the options section of your role, and then test that your teleport certs show up when you run ssh-add -l on the node.

Top Nav

• [x] Verify that cluster selector displays all (root + leaf) clusters
• [x] Verify that user name is displayed
• [x] Verify that user menu shows logout, help&support, and account settings (for local users)

Side Nav

• [x] Verify that each item has an icon
• [ ] Verify that Collapse/Expand works and collapsed has icon >, and expand has icon v
• [ ] Verify that it automatically expands and highlights the item on page refresh

Unified Resources

• [x] Verify that scrolling to the bottom of the page renders more resources
• [x] Verify that all resource types are visible if no filters are present
• [x] Verify that "Search" by (host)name, address, labels works for all resources

  Servers aka Nodes

• [x] Verify that "Servers" type shows all joined nodes
• [x] Verify that "Connect" button shows a list of available logins
• [x] Verify that terminal opens when clicking on one of the available logins
• [x] Verify that clicking on Add Resource button correctly sends to the resource discovery page

  Applications

• [x] Verify that the app icons are correctly displayed
• [x] Verify that filtering types by Application includes applications in the page
• [x] Verify that the Launch button for applications correctly send to the app
• [x] Verify that the Launch button for AWS apps correctly renders an IAM role selection window

  Databases

• [x] Verify that the database subtype icons are correctly displayed
• [x] Verify that filtering types by Databases includes databases in the page
• [x] Verify that clicking Connect renders the dialog with correct information

Kubes

• [x] Verify that filtering types by Kubes includes kubes in the page
• [x] Verify that clicking Connect renders the dialog with correct information

Desktops

• [x] Verify that filtering types by Desktops includes desktops in the page
• [x] Verify that clicking Connect renders a login selection and that the logins are completely in view

  Active Sessions

• [x] Verify that "empty" state is handled
• [x] Verify that it displays the session when session is active
• [x] Verify that "Description", "Session ID", "Users", "Nodes" and "Duration" columns show correct values (outdated but columns render)
• [ ] Verify that "OPTIONS" button allows to join a session

Audit log

• [x] Verify that time range button is shown and works
• [ ] Verify that clicking on Session Ended event icon, takes user to session player (removed)
• [x] Verify event detail dialogue renders when clicking on events details button
• [x] Verify searching by type, description, created works

Users

• [x] Verify that users are shown
• [x] Verify that creating a new user works
• [x] Verify that editing user roles works
• [x] Verify that removing a user works
• [x] Verify resetting a user's password works
• [x] Verify search by username, roles, and type works

Auth Connectors

For help with setting up auth connectors, check out the [Quick GitHub/SAML/OIDC Setup Tips]

• [x] Verify when there are no connectors, empty state renders
• [x] Verify that creating OIDC/SAML/GITHUB connectors works
• [x] Verify that editing OIDC/SAML/GITHUB connectors works
• [x] Verify that error is shown when saving an invalid YAML
• [x] Verify that correct hint text is shown on the right side
• [ ] Verify that encrypted SAML assertions work with an identity provider that supports it (Azure).
• [x] Verify that created GitHub, saml, oidc card has their icons

  Roles

• [x] Verify that roles are shown
• [x] Verify that "Create New Role" dialog works
• [x] Verify that deleting and editing works
• [x] Verify that error is shown when saving an invalid YAML
• [x] Verify that correct hint text is shown on the right side

Managed Clusters

• [x] Verify that it displays a list of clusters (root + leaf)
• [x] Verify that every menu item works: nodes, apps, audit events, session recordings, etc. (outdated but test routes)

Help & Support

• [x] Verify that all URLs work and correct (no 404)

Access Requests

Access Request is a Enterprise feature and is not available for OSS.

Creating Access Requests (Role Based)

Create a role with limited permissions allow-roles-and-nodes. This role allows you to see the Role screen and ssh into all nodes.

kind: role
metadata:
  name: allow-roles-and-nodes
spec:
  allow:
    logins:
    - root
    node_labels:
      '*': '*'
    rules:
    - resources:
      - role
      verbs:
      - list
      - read
  options:
    max_session_ttl: 8h0m0s
version: v5

Create another role with limited permissions allow-users-with-short-ttl. This role session expires in 4 minutes, allows you to see Users screen, and denies access to all nodes.

kind: role
metadata:
  name: allow-users-with-short-ttl
spec:
  allow:
    rules:
    - resources:
      - user
      verbs:
      - list
      - read
  deny:
    node_labels:
      '*': '*'
  options:
    max_session_ttl: 4m0s
version: v5

Create a user that has no access to anything but allows you to request roles:

kind: role
metadata:
  name: test-role-based-requests
spec:
  allow:
    request:
      roles:
      - allow-roles-and-nodes
      - allow-users-with-short-ttl
      suggested_reviewers:
      - random-user-1
      - random-user-2
version: v5

• [x] Verify that under requestable roles, only allow-roles-and-nodes and allow-users-with-short-ttl are listed
• [x] Verify you can select/input/modify reviewers
• [x] Verify you can view the request you created from request list (should be in pending states)
• [x] Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
• [x] Verify you can't review own requests

Creating Access Requests (Search Based)

Create a role with access to searcheable resources (apps, db, kubes, nodes, desktops). The template searcheable-resources is below.

kind: role
metadata:
  name: searcheable-resources
spec:
  allow:
    app_labels:  # just example labels
      label1-key: label1-value
      env: [dev, staging]
    db_labels:
      '*': '*'   # asteriks gives user access to everything
    kubernetes_labels:
      '*': '*'
    node_labels:
      '*': '*'
    windows_desktop_labels:
      '*': '*'
version: v5

Create a user that has no access to resources, but allows you to search them:

kind: role
metadata:
  name: test-search-based-requests
spec:
  allow:
    request:
      search_as_roles:
      - searcheable resources
      suggested_reviewers:
      - random-user-1
      - random-user-2
version: v5

• [x] Verify that a user can see resources based on the searcheable-resources rules
• [x] Verify you can select/input/modify reviewers
• [x] Verify you can view the request you created from request list (should be in pending states)
• [x] Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
• [x] Verify you can't review own requests
• [x] Verify that you can't mix adding resources from different clusters (there should be a warning dialogue that clears the selected list)

Viewing & Approving/Denying Requests

Create a user with the role reviewer that allows you to review all requests, and delete them.

kind: role
version: v3
metadata:
  name: reviewer
spec:
  allow:
    review_requests:
      roles: ['*']

• [x] Verify you can view access request from request list
• [x] Verify you can approve a request with message, and immediately see updated state with your review stamp (green checkmark) and message box
• [x] Verify you can deny a request, and immediately see updated state with your review stamp (red cross)
• [x] Verify deleting the denied request is removed from list

Assuming Approved Requests (Role Based)

• [x] Verify that assuming allow-roles-and-nodes allows you to see roles screen and ssh into nodes
• [x] After assuming allow-roles-and-nodes, verify that assuming allow-users-short-ttl allows you to see users screen, and denies access to nodes
  • [x] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
  • [x] Verify switching back goes back to your default static role
  • [x] Verify after re-assuming allow-users-short-ttl role, the user is automatically logged out after the expiry is met (4 minutes)

Assuming Approved Requests (Search Based)

• [x] Verify that assuming approved request, allows you to see the resources you've requested.

  Assuming Approved Requests (Both)

• [x] Verify assume buttons are only present for approved request and for logged in user
• [x] Verify that after clicking on the assume button, it is disabled in both the list and in viewing
• [x] Verify that after re-login, requests that are not expired and are approved are assumable again

Access Request Waiting Room

Strategy Reason

Create the following role:

kind: role
metadata:
  name: waiting-room
spec:
  allow:
    request:
      roles:
      - <some other role to assign user after approval>
  options:
    max_session_ttl: 8h0m0s
    request_access: reason
    request_prompt: <some custom prompt to show in reason dialogue>
version: v3

• [x] Verify after login, reason dialogue is rendered with prompt set to request_prompt setting
• [x] Verify after clicking send request, pending dialogue renders
• [x] Verify after approving a request, dashboard is rendered
• [x] Verify the correct role was assigned

Strategy Always

With the previous role you created from Strategy Reason, change request_access to always:

• [x] Verify after login, pending dialogue is auto rendered
• [x] Verify after approving a request, dashboard is rendered
• [x] Verify after denying a request, access denied dialogue is rendered
• [x] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
• [x] Verify switchback button says Logout and clicking goes back to the login screen

Strategy Optional

With the previous role you created from Strategy Reason, change request_access to optional:

• [x] Verify after login, dashboard is rendered as normal

Terminal

• [x] Verify that top nav has a user menu (Main and Logout)
• [x] Verify that switching between tabs works with ctrl+[1...9] (alt on linux/windows)

Node List Tab

• [x] Verify that Cluster selector works (URL should change too)
• [x] Verify that "Connect" button shows a list of available logins
• [x] Verify that "Hostname", "Address" and "Labels" columns show the current values
• [x] Verify that "Search" by hostname, address, labels work
• [x] Verify that new tab is created when starting a session

Session Tab

• [x] Verify that session and browser tabs both show the title with login and node name
• [x] Verify that terminal resize works
  • Install midnight commander on the node you ssh into: $ sudo apt-get install mc
  • Run the program: $ mc
  • Resize the terminal to see if panels resize with it
• [x] Verify that session tab shows/updates number of participants when a new user joins the session
• [x] Verify that tab automatically closes on "$ exit" command
• [x] Verify that SCP Upload works
• [x] Verify that SCP Upload handles invalid paths and network errors
• [x] Verify that SCP Download works
• [x] Verify that SCP Download handles invalid paths and network errors

Session Player

• [x] Verify that it can replay a session
• [x] Verify that when playing, scroller auto scrolls to bottom most content
• [x] Verify when resizing player to a small screen, scroller appears and is working
• [x] Verify that error message is displayed (enter an invalid SID in the URL)

Invite and Reset Form (@rudream)

• [x] Verify that input validates
• [x] Verify that invite works with 2FA disabled
• [x] Verify that invite works with OTP enabled
• [ ] Verify that invite works with U2F enabled
• [x] Verify that invite works with WebAuthn enabled
• [x] Verify that error message is shown if an invite is expired/invalid

Login Form and Change Password (@rudream)

• [x] Verify that input validates
• [x] Verify that login works with 2FA disabled
• [x] Verify that changing passwords works for 2FA disabled
• [x] Verify that login works with OTP enabled
• [x] Verify that changing passwords works for OTP enabled
• [ ] Verify that login works with U2F enabled
• [ ] Verify that changing passwords works for U2F enabled
• [x] Verify that login works with WebAuthn enabled
• [x] Verify that changing passwords works for WebAuthn enabled
• [x] Verify that login works for Github/SAML/OIDC
• [x] Verify that redirect to original URL works after successful login
• [x] Verify that account is locked after several unsuccessful login attempts
• [x] Verify that account is locked after several unsuccessful change password attempts

Multi-factor Authentication (mfa) (@rudream)

Create/modify teleport.yaml and set the following authentication settings under auth_service

authentication:
  type: local
  second_factor: optional
  require_session_mfa: yes
  webauthn:
    rp_id: example.com

MFA invite, login, password reset, change password

• [x] Verify during invite/reset, second factor list all auth types: none, hardware key, and authenticator app
• [x] Verify registration works with all option types
• [x] Verify login with all option types
• [x] Verify changing password with all option types
• [x] Change second_factor type to on and verify that mfa is required (no option none in dropdown)

MFA require auth

Go to Account Settings > Two-Factor Devices and register a new device

Using the same user as above:

• [x] Verify logging in with registered WebAuthn key works
• [x] Verify connecting to a ssh node prompts you to tap your registered WebAuthn key
• [x] Verify in the web terminal, you can scp upload/download files

MFA Management

• [ ] Verify adding first device works without requiring re-authentication
• [ ] Verify re-authenticating with a WebAuthn device works
• [ ] Verify re-authenticating with a U2F device works
• [x] Verify re-authenticating with a OTP device works
• [x] Verify adding a WebAuthn device works
• [ ] Verify adding a U2F device works
• [x] Verify adding an OTP device works
• [x] Verify removing a device works
• [x] Verify second_factor set to off disables adding devices

Passwordless

• [x] Pure passwordless registrations and resets are possible
• [x] Verify adding a passwordless device (WebAuthn)
• [x] Verify passwordless logins

Cloud (@rudream)

From your cloud staging account, change the field teleportVersion to the test version.

$ kubectl -n <namespace> edit tenant

Recovery Code Management

• [x] Verify generating recovery codes for local accounts with email usernames works
• [x] Verify local accounts with non-email usernames are not able to generate recovery codes
• [x] Verify SSO accounts are not able to generate recovery codes

Invite/Reset

• [x] Verify email as usernames, renders recovery codes dialog
• [ ] Verify non email usernames, does not render recovery codes dialog (you cannot invite non-email usernames)

Recovery Flow: Add new mfa device

• [x] Verify recovering (adding) a new hardware key device with password
• [x] Verify recovering (adding) a new otp device with password
• [x] Verify viewing and deleting any old device (but not the one just added)
• [x] Verify new recovery codes are rendered at the end of flow

Recovery Flow: Change password

• [x] Verify recovering password with any mfa device
• [x] Verify new recovery codes are rendered at the end of flow

Recovery Email

• [x] Verify receiving email for link to start recovery
• [x] Verify receiving email for successfully recovering
• [x] Verify email link is invalid after successful recovery
• [x] Verify receiving email for locked account when max attempts reached

RBAC (@rudream)

Create a role, with no allow.rules defined:

kind: role
metadata:
  name: rbac
spec:
  allow:
    app_labels:
      '*': '*'
    logins:
    - root
    node_labels:
      '*': '*'
  options:
    max_session_ttl: 8h0m0s
version: v3

• [x] Verify that a user has access only to: "Servers", "Applications", "Databases", "Kubernetes" (now unified view), "Active Sessions", "Access Requests" and "Manage Clusters"
• [x] Verify there is no Add Server, Application, Databases, Kubernetes button in each respective view
• [ ] Verify only Servers, Apps, Databases, and Kubernetes are listed under options button in Manage Clusters

Note: User has read/create access_request access to their own requests, despite resource settings

Add the following under spec.allow.rules to enable read access to the audit log:

  - resources:
      - event
      verbs:
      - list

• [x] Verify that the Audit Log and Session Recordings is accessible
• [ ] Verify that playing a recorded session is denied

Add the following to enable read access to recorded sessions

  - resources:
      - session
      verbs:
      - read

• [x] Verify that a user can re-play a session (session.end)

Add the following to enable read access to the roles

- resources:
      - role
      verbs:
      - list
      - read

• [x] Verify that a user can see the roles
• [x] Verify that a user cannot create/delete/update a role

Add the following to enable read access to the auth connectors

- resources:
      - auth_connector
      verbs:
      - list
      - read

• [x] Verify that a user can see the list of auth connectors.
• [x] Verify that a user cannot create/delete/update the connectors

Add the following to enable read access to users

  - resources:
      - user
      verbs:
      - list
      - read

• [x] Verify that a user can access the "Users" screen
• [x] Verify that a user cannot reset password and create/delete/update a user

Add the following to enable read access to trusted clusters

  - resources:
      - trusted_cluster
      verbs:
      - list
      - read

• [x] Verify that a user can access the "Trust" screen
• [x] Verify that a user cannot create/delete/update a trusted cluster.

Locks

Checking that you can view, create, and delete locks.

• [ ] Existing locks listing page.
  • [ ] It lists all of the existing locks in the system.
  • [ ] Locks without a Locked By and Start Date are still shown with those fields empty.
  • [ ] Clicking the trash can deletes the lock with a spinner.
  • [ ] Table columns are sortable.
  • [ ] Table search field filters the results.
• [ ] Adding a new lock. (+ Add New Lock).
  • [x] Target switcher shows the locks for the various target types (User, Role, Login, Node, MFA Device, Windows Desktop, Access Request).
  • [x] Target switcher has "Access Request" in E build but not in OSS.
  • [x] You can add lock targets from multiple target types.
  • [x] Adding a target disables that "add button".
  • [x] You cannot proceed if you haven't selected targets to lock.
  • [x] You can clear the selected targets prior to creating locks.
  • [x] Proceeding to lock opens an animated slide panel from the right.
  • [x] You can remove lock targets from the slide panel.
  • [x] Creating a lock with message and TTL correctly create the lock.
  • [x] Create a lock without message and TTL, they should be optional.

Enroll new resources using Discover Wizard

Use Discover Wizard to enroll new resources and access them:

• [x] SSH Server
• [ ] Self-Hosted PostgreSQL
• [ ] AWS RDS PostgreSQL
• [x] Kubernetes
• [ ] AWS EKS cluster
• [x] Windows Desktop Active Directory @ibeckermayer

Teleport Connect

• Auth methods @gzdunek
  • Verify that the app supports clusters using different auth settings (auth_service.authentication in the cluster config):
    • [x] type: local, second_factor: "off"
    • [x] type: local, second_factor: "otp"
      • [x] Test per-session MFA items listed later in the test plan.
    • [x] type: local, second_factor: "webauthn",
      • [x] Test per-session MFA items listed later in the test plan.
    • [x] type: local, second_factor: "webauthn", log in passwordlessly with hardware key
    • [x] type: local, second_factor: "webauthn", log in passwordlessly with touch ID
    • [x] type: local, second_factor: "optional", log in without MFA
    • [x] type: local, second_factor: "optional", log in with OTP
    • [x] type: local, second_factor: "optional", log in with hardware key
    • [x] type: local, second_factor: "on", log in with OTP
      • [x] Test per-session MFA items listed later in the test plan.
    • [x] type: local, second_factor: "on", log in with hardware key
    • [x] type: local, second_factor: "on", log in with passwordless auth
    • [x] Verify that the passwordless credential picker works.
      • To make the picker show up, you need to add the same MFA device with passwordless capabilities to multiple users.
    • Authentication connectors:
      • For those you might want to use clusters that are deployed on the web, specified in parens. Or set up the connectors on a local enterprise cluster following the guide from our wiki.
      • [x] GitHub (asteroid)
      • [x] local login on a GitHub-enabled cluster
      • [x] SAML (platform cluster)
      • [x] OIDC (e-demo)
  • Verify that all items from this section work on:
    • [x] macOS
    • [x] Windows
    • [x] Linux
• Shell @gzdunek
  • [x] Verify that the shell is pinned to the correct cluster (for root clusters and leaf clusters).
    • That is, opening new shell sessions in other workspaces or other clusters within the same workspace should have no impact on the original shell session.
  • [x] Verify that the local shell is opened with correct env vars.
    • TELEPORT_PROXY and TELEPORT_CLUSTER should pin the session to the correct cluster.
    • TELEPORT_HOME should point to ~/Library/Application Support/Teleport Connect/tsh.
    • PATH should include /Applications/Teleport Connect.app/Contents/Resources/bin.
  • [x] Verify that the working directory in the tab title is updated when you change the directory (only for local terminals).
  • [x] Verify that terminal resize works for both local and remote shells.
    • Install midnight commander on the node you ssh into: $ sudo apt-get install mc
    • Run the program: $ mc
    • Resize Teleport Connect to see if the panels resize with it
  • [x] Verify that the tab automatically closes on $ exit command.
  • Verify that all items from this section work on:
    • [x] macOS
    • [x] Windows
    • [x] Linux
• Kubernetes access
  • [x] Open a new kubernetes tab, run echo $KUBECONFIG and check if it points to the file within Connect's app data directory.
  • [x] Close the tab and open it again (to the same resource). Verify that the kubeconfig path didn't change.
  • [x] Run kubectl get pods -A and verify that the command succeeds. Then create a pod with kubectl apply -f https://k8s.io/examples/application/shell-demo.yaml and exec into it with kubectl exec --stdin --tty shell-demo -- /bin/bash. Verify that the shell works.
    • For execing into a pod, you might need to create a ClusterRoleBinding in k8s for the admin role. Then you need to add the k8s group (which maps to the k8s admin role in ClusterRoleBinding) to kubernetes_groups of your Teleport role.
    • [x] Repeat the above check for a k8s cluster connected to a leaf cluster.
  • Verify that the kubeconfig file is removed when the user:
    • [x] Removes the connection
    • [x] Logs out of the cluster
    • [x] Closes Teleport Connect
  • Verify that all items from this section work on:
    • [x] macOS
    • [x] Windows
    • [x] Linux
• State restoration from disk @gzdunek
  • [x] Verify that the app asks about restoring previous tabs when launched and restores them properly.
  • [x] Verify that the app opens with the cluster that was active when you closed the app.
  • [x] Verify that the app remembers size & position after restart.
    • Verify that this works on:
      • [x] macOS
      • [x] Windows
      • [x] Linux
  • [x] Verify that reopening a cluster that has no workspace assigned works.
  • [x] Verify that reopening the app after removing ~/Library/Application Support/Teleport Connect/tsh doesn't crash the app.
  • [x] Verify that reopening the app after removing ~/Library/Application Support/Teleport Connect/app_state.json but not the tsh dir doesn't crash the app.
  • [x] Verify that logging out of a cluster and then logging in to the same cluster doesn't remember previous tabs (they should be cleared on logout).
  • [x] Open a db connection tab. Change the db name and port. Close the tab. Restart the app. Open connection tracker and choose said db connection from it. Verify that the newly opened tab uses the same db name and port.
  • [x] Log in to a cluster. Close the DocumentCluster tab. Open a new DocumentCluster tab. Restart the app. Verify that the app doesn't ask you about restoring previous tabs.
• Connections picker @gzdunek
  • [x] Verify that the connections picker shows new connections when ssh & db tabs are opened.
  • [x] Check if those connections are available after the app restart.
  • [x] Check that those connections are removed after you log out of the root cluster that they belong to.
  • [x] Verify that reopening a db connection from the connections picker remembers last used port.
• Cluster resources (servers, databases, k8s, apps) @gzdunek
  • [x] Verify that the app shows the same resources as the Web UI.
  • [x] Verify that search is working for the resources list.
  • [x] Verify that pagination is working for the resources list.
  • [x] Verify that pagination works in tandem with search, that is verify that search results are paginated too.
  • [x] Verify that you can connect to these resources.
    • Verify that this works on:
      • [x] macOS
      • [x] Windows
      • [x] Linux
  • [x] Verify that clicking "Connect" shows available logins and db usernames.
    • Logins and db usernames are taken from the role, under spec.allow.logins and spec.allow.db_users.
  • [x] Repeat the above steps for resources in leaf clusters.
• Tabs @gzdunek
  • [x] Verify that tabs have correct titles set.
  • [x] Verify that changing tab position works.
• Shortcuts @gzdunek
  • [x] Verify that switching between tabs works on Cmd+[1...9].
  • [x] Verify that other shortcuts are shown after you close all tabs.
  • [x] Verify that the other shortcuts work and each of them is shown on hover on relevant UI elements.
  • Verify that all items from this section work on:
    • [x] macOS
    • [x] Windows
    • [x] Linux
• Workspaces & cluster management @gzdunek
  • [x] Verify that logging in to a new cluster adds it to the identity switcher and switches to the workspace of that cluster automatically.
  • [x] Verify that the state of the current workspace is preserved when you change the workspace (by switching to another cluster) and return to the previous workspace.
  • [x] Click "Add another cluster", provide an address to a cluster that was already added. Verify that Connect simply changes the workspace to that of that cluster.
  • [x] Click "Add another cluster", provide an address to a new cluster and submit the form. Close the modal when asked for credentials. Verify that the cluster was still added and is visible in the profile selector.
• Search bar @gzdunek
  • [x] Verify that you can connect to all three resources types on root clusters and leaf clusters.
  • [x] Verify that picking a resource filter and a cluster filter at the same time works as expected.
  • [x] Verify that connecting to a resource from a different root cluster switches to the workspace of that root cluster.
  • Shut down a root cluster.
    • [x] Verify that attempting to search returns "Some of the search results are incomplete" in the search bar.
    • [x] Verify that clicking "Show details" next to the error message and then closing the modal by clicking one of the buttons or by pressing Escape does not close the search bar.
  • Log in as a user with a short TTL. Make sure you're not logged in to any other cluster. Wait for the cert to expire. Enter a search term that usually returns some results.
    • [x] Relogin when asked. Verify that the search bar is not collapsed and shows search results.
    • [x] Close the login modal instead of logging in. Verify that the search bar is not collapsed and shows "No matching results found".
• Resilience when resources become unavailable
  • DocumentCluster
    • For each scenario, create at least one DocumentCluster tab for each available resource kind.
    • For each scenario, first do the action described in the bullet point, then refetch list of resources by entering the search field and pressing enter. Verify that no unrecoverable error was raised (that is, the app still works). Then restart the app and verify that it was restarted gracefully (no unrecoverable error on restart, the user can continue using the app).
      • [x] Stop the root cluster.
      • [x] Stop a leaf cluster.
      • [x] Disconnect your device from the internet.
  • DocumentGateway
    • [x] Verify that you can't open more than one tab for the same db server + username pair. Trying to open a second tab with the same pair should just switch you to the already existing tab.
    • [x] Create a db connection tab for a given database. Then remove access to that db for that user. Go back to Connect and change the database name and port. Both actions should not return an error.
    • [x] Open DocumentCluster and make sure a given db is visible on the list of available dbs. Click "Connect" to show a list of db users. Now remove access to that db. Go back to Connect and choose a username. Verify that a recoverable error is shown and the user can continue using the app.
    • [x] Create a db connection, close the app, run tsh proxy db with the same port, start the app. Verify that the app doesn't crash and the db connection tab shows you the error (address in use) and offers a way to retry creating the connection.
      • Verify that this works on:
      • [x] macOS
      • [x] Windows
      • [x] Linux
• File transfer @gzdunek
  • Download
    • [x] Verify if Connect asks for a path when downloading the file.
    • [x] Verify that invalid paths and network errors are handled.
    • [x] Verify if cancelling the download works.
  • Upload
    • [x] Verify if uploading single/multiple files works.
    • [x] Verify that invalid paths and network errors are handled.
    • [x] Verify if cancelling the upload works.
• Refreshing certs @gzdunek
  • To test scenarios from this section, create a user with a role that has TTL of 1m (spec.options.max_session_ttl).
  • Log in, create a db connection and run the CLI command; wait for the cert to expire, make another connection to the local db proxy.
    • [x] Verify that the window received focus and a modal login is shown.
      • Verify that this works on:
      • [x] macOS
      • [x] Windows
      • [x] Linux
    • Verify that after successfully logging in:
      • [x] The cluster info is synced.
      • [x] The first connection wasn't dropped; try executing select now();, the client should be able to automatically reinstantiate the connection.
      • [x] The database proxy is able to handle new connections; click "Run" in the db tab and see if it connects without problems. You might need to resync the cluster again in case they managed to expire.
    • [x] Verify that closing the login modal without logging in shows an appropriate error.
  • Log in, create a db connection, then remove access to that db server for that user; wait for the cert to expire, then attempt to make a connection through the proxy; log in.
    • [x] Verify that psql shows an appropriate access denied error ("access to db denied. User does not have permissions. Confirm database user and name").
  • Log in, open a cluster tab, wait for the cert to expire. Switch from a servers view to databases view.
    • [x] Verify that a login modal was shown.
    • [x] Verify that after logging in, the database list is shown.
  • Log in, set up two db connections. Wait for the cert to expire. Attempt to connect to the first proxy, then without logging in proceed to connect to the second proxy.
    • [x] Verify that an error notification was shown related to another login attempt being in progress.
• Access Requests
  • Creating Access Requests (Role Based)
    • To setup a test environment, follow the steps laid out in Created Access Requests (Role Based) from the Web UI testplan and then verify the tasks below.
    • [x] Verify that under requestable roles, only allow-roles-and-nodes and allow-users-with-short-ttl are listed
    • [x] Verify you can select/input/modify reviewers
    • [x] Verify you can view the request you created from request list (should be in a pending state)
    • [x] Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
    • [x] Verify you can't review own requests
  • Creating Access Requests (Search Based)
    • To setup a test environment, follow the steps laid out in Created Access Requests (Search Based) from the Web UI testplan and then verify the tasks below.
    • [x] Verify that a user can see resources based on the searcheable-resources rules
    • [x] Verify you can select/input/modify reviewers
    • [x] Verify you can view the request you created from request list (should be in a pending state)
    • [x] Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
    • [x] Verify you can't review own requests
    • [x] Verify that you can't mix adding resources from different clusters (there should be a warning dialogue that clears the selected list)
    • [x] Verify that you can't mix roles and resources into the same request.
  • Viewing & Approving/Denying Requests
    • To setup a test environment, follow the steps laid out in Viewing & Approving/Denying Requests from the Web UI testplan and then verify the tasks below.
    • [x] Verify you can view access request from request list
    • [x] Verify you can approve a request with message, and immediately see updated state with your review stamp (green checkmark) and message box
    • [x] Verify you can deny a request, and immediately see updated state with your review stamp (red cross)
    • [x] Verify deleting the denied request is removed from list
  • Assuming Approved Requests (Role Based)
    • [x] Verify that assuming allow-roles-and-nodes allows you to see roles screen and ssh into nodes
    • [x] After assuming allow-roles-and-nodes, verify that assuming allow-users-short-ttl allows you to see users screen, and denies access to nodes
    • [x] Verify a switchback banner is rendered with roles assumed, and count down of when it expires
    • [x] Verify switching back goes back to your default static role
    • [x] Verify after re-assuming allow-users-short-ttl role, the user is automatically logged out after the expiry is met (4 minutes)
  • Assuming Approved Requests (Search Based)
    • [x] Verify that assuming approved request, allows you to see the resources you've requested.
  • Assuming Approved Requests (Both)
    • [x] Verify assume buttons are only present for approved request and for logged in user
    • [x] Verify that after clicking on the assume button, it is disabled in both the list and in viewing
    • [x] Verify that after re-login, requests that are not expired and are approved are assumable again
• Configuration @gzdunek
  • [x] Verify that clicking on More Options icon ⋮ > Open Config File opens the app_config.json file in your editor.
    • Verify that this works on:
      • [x] macOS
      • [x] Windows
      • [x] Linux
  • Change a config property and restart the app. Verify that the change has been applied.
    • [x] Change a keyboard shortcut.
    • [x] Change terminal.fontFamily.
  • Provide the same keyboard shortcut for two actions.
    • [x] Verify that a notification is displayed saying that a duplicate shortcut was found.
  • Provide an invalid value for some property (for example, set "keymap.tab1": "ABC").
    • [x] Verify that a notification is displayed saying that the property has an invalid value.
  • Make a syntax error in the file (for example, set "keymap.tab1": not a string).
    • [x] Verify that a notification is displayed saying that the config file was not loaded correctly.
    • [x] Verify that your config changes were not overridden.
• Headless auth @gzdunek
  • Headless auth modal in Connect can be triggered by calling tsh ls --headless --user=<username> --proxy=<proxy>. The cluster needs to have webauthn enabled for it to work.
  • [x] Verify the basic operations (approve, reject, ignore then accept in the Web UI).
  • [x] Make a headless request then cancel the command. Verify that the modal in Connect was closed automatically.
  • [x] Make a headless request then accept it in the Web UI. Verify that the modal in Connect was closed automatically.
  • [x] Make two concurrent headless requests for the same cluster. Verify that Connect shows the second one after closing the modal for the first request.
  • [x] Make two concurrent headless requests for two different clusters. Verify that Connect shows the second one after closing the modal for the first request.
• tshd-initiated communication @gzdunek
  • [x] Create a db connection, wait for the cert to expire. Attempt to connect to the database through CLI. While the login modal is shown, make a headless request. Verify that after logging in again, the app shows the modal for the headless request.
• Per-session MFA
  • The easiest way to test it is to enable cluster-wide per-session MFA.
  • [x] Verify that connecting to a Kube cluster prompts for MFA.
    • [x] Re-execute kubectl exec --stdin --tty shell-demo -- /bin/bash mentioned above to verify that Kube access is working with MFA.
  • [x] Verify that Connect prompts for MFA during Connect My Computer setup.
• Connect My Computer
  • [x] Verify the happy path from clean slate (no existing role) setup: set up the node and then connect to it.
  • Kill the agent while its joining the cluster and verify that the logs from the agent process are shown in the UI.
    • The easiest way to do this is by following the agent cleanup daemon logs (tail -F ~/Library/Application\ Support/Teleport\ Connect/logs/cleanup.log) and then kill -s KILL <agent PID>.
    • [x] During setup.
    • [x] After setup in the status view. Verify that the page says that the process exited with SIGKILL.
  • [x] Open the node config, change the proxy address to an incorrect one to simulate problems with connection. Verify that the app kills the agent after the agent is not able to join the cluster within the timeout.
  • [x] Verify autostart behavior. The agent should automatically start on app start unless it was manually stopped before exiting the app.
  • Verify that all items from this section work on:
    • [x] macOS
    • [x] Linux
• [x] Verify that logs are collected for all processes (main, renderer, shared, tshd) under ~/Library/Application\ Support/Teleport\ Connect/logs.
• [x] Verify that the password from the login form is not saved in the renderer log.
• [x] Log in to a cluster, then log out and log in again as a different user. Verify that the app works properly after that.
• [x] Clean the Application Support dir for Connect. Start the latest stable version of the app. Open every possible document. Close the app. Start the current alpha. Reopen the tabs. Verify that the app was able to reopen the tabs without any errors.

[ravicious]

Canceling MFA prompt isn't propagated correctly in Firefox when updating a role.

This might have been introduced with Brian's changes to administrative actions MFA. I suspect it's a trivial JS issue.

• https://github.com/gravitational/teleport/issues/35933

[ravicious]

• [ ] Buttons for switching between card view and list view have no title attribute.

[kimlisa]

https://github.com/gravitational/teleport/issues/36841 https://github.com/gravitational/teleport/issues/36835 (this was present in the last version, it's trivial i think)

[ravicious]

Connect My Computer: Agent cleanup daemon exits immediately after launch

• https://github.com/gravitational/teleport/issues/36865

[gzdunek]

After changing success: string to success: { main: string, hover: string, active: string } in the theme, many places were not adjusted to use success.main color. Instead they are white. For example:

[avatus]

After changing success: string to success: { main: string, hover: string, active: string } in the theme, many places were not adjusted to use success.main color.

https://github.com/gravitational/teleport/pull/36875

[kimlisa]

can we continue testing with second_factor: on with a hardware key? i'm finding a few re-authentication errors and i'm collecting it here: https://github.com/gravitational/teleport/issues/36900

i think i've been testing with a hardware key so there's already a wide coverage

[ravicious]

Connect: Tab with cluster resources opened in v14 crashes after upgrade to v15

• https://github.com/gravitational/teleport/issues/36936

[rosstimothy]

https://github.com/gravitational/teleport/issues/37014

[bl-nero]

Graphical glitches when connecting through Web to a Windows desktop: https://github.com/gravitational/teleport/issues/37032

[bl-nero]

Account Settings offers to add an MFA device or a passkey when it should not be available #37033

[ibeckermayer]

• https://github.com/gravitational/teleport/issues/37072

[kimlisa]

@ravicious @gzdunek have you guys tested access request with MFA enabled in teleterm? the admin action requirement is failing (this is on master though), i'd imagine any CRUD operation in the teleterm needs to be tested with a second factor (i didn't see other CRUD stuff on teleterm so it mgiht be just access request actions)

[gzdunek]

@kimlisa I can't reproduce it. Are you on 15.0.0-alpha.5?

[kimlisa]

@kimlisa I can't reproduce it. Are you on 15.0.0-alpha.5?

@gzdunek i was on master, but i think what it was, is that my second factor was optional, and i didn't have a second factor added... we probably need better error message agh

this is web UI:

[gzdunek]

we probably need better error message agh

Yeah, it is a known problem with generic 'access denied' errors in Connect https://github.com/gravitational/teleport/issues/32550.

[rudream]

Two similar bugs where re-authentication with a hardware MFA device doesn't work:

• https://github.com/gravitational/teleport/issues/37298
• https://github.com/gravitational/teleport/issues/37299

[ravicious]

Re-authenticating using a hardware device doesn't work for updating users

• https://github.com/gravitational/teleport/issues/37424

Could someone try to reproduce this just to make sure my setup isn't broken in some way?