diff --git a/proxy/src/auth/backend/console_redirect.rs b/proxy/src/auth/backend/console_redirect.rs index 1df59b4893..e25dc3d45e 100644 --- a/proxy/src/auth/backend/console_redirect.rs +++ b/proxy/src/auth/backend/console_redirect.rs @@ -16,7 +16,7 @@ use crate::stream::PqStream; use crate::{auth, compute, waiters}; #[derive(Debug, Error)] -pub(crate) enum WebAuthError { +pub(crate) enum ConsoleRedirectError { #[error(transparent)] WaiterRegister(#[from] waiters::RegisterError), @@ -32,13 +32,13 @@ pub struct ConsoleRedirectBackend { console_uri: reqwest::Url, } -impl UserFacingError for WebAuthError { +impl UserFacingError for ConsoleRedirectError { fn to_string_client(&self) -> String { "Internal error".to_string() } } -impl ReportableError for WebAuthError { +impl ReportableError for ConsoleRedirectError { fn get_error_kind(&self) -> crate::error::ErrorKind { match self { Self::WaiterRegister(_) => crate::error::ErrorKind::Service, @@ -103,7 +103,7 @@ async fn authenticate( link_uri: &reqwest::Url, client: &mut PqStream, ) -> auth::Result { - ctx.set_auth_method(crate::context::AuthMethod::Web); + ctx.set_auth_method(crate::context::AuthMethod::ConsoleRedirect); // registering waiter can fail if we get unlucky with rng. // just try again. @@ -116,7 +116,7 @@ async fn authenticate( } }; - let span = info_span!("web", psql_session_id = &psql_session_id); + let span = info_span!("console_redirect", psql_session_id = &psql_session_id); let greeting = hello_message(link_uri, &psql_session_id); // Give user a URL to spawn a new database. @@ -127,14 +127,16 @@ async fn authenticate( .write_message(&Be::NoticeResponse(&greeting)) .await?; - // Wait for web console response (see `mgmt`). + // Wait for console response via control plane (see `mgmt`). info!(parent: &span, "waiting for console's reply..."); - let db_info = tokio::time::timeout(auth_config.webauth_confirmation_timeout, waiter) + let db_info = tokio::time::timeout(auth_config.console_redirect_confirmation_timeout, waiter) .await .map_err(|_elapsed| { - auth::AuthError::confirmation_timeout(auth_config.webauth_confirmation_timeout.into()) + auth::AuthError::confirmation_timeout( + auth_config.console_redirect_confirmation_timeout.into(), + ) })? - .map_err(WebAuthError::from)?; + .map_err(ConsoleRedirectError::from)?; if auth_config.ip_allowlist_check_enabled { if let Some(allowed_ips) = &db_info.allowed_ips { diff --git a/proxy/src/auth/backend/mod.rs b/proxy/src/auth/backend/mod.rs index ccd5cf3071..242fe99de2 100644 --- a/proxy/src/auth/backend/mod.rs +++ b/proxy/src/auth/backend/mod.rs @@ -9,7 +9,7 @@ use std::sync::Arc; use std::time::Duration; pub use console_redirect::ConsoleRedirectBackend; -pub(crate) use console_redirect::WebAuthError; +pub(crate) use console_redirect::ConsoleRedirectError; use ipnet::{Ipv4Net, Ipv6Net}; use local::LocalBackend; use tokio::io::{AsyncRead, AsyncWrite}; @@ -560,7 +560,7 @@ mod tests { ip_allowlist_check_enabled: true, is_auth_broker: false, accept_jwts: false, - webauth_confirmation_timeout: std::time::Duration::from_secs(5), + console_redirect_confirmation_timeout: std::time::Duration::from_secs(5), }); async fn read_message(r: &mut (impl AsyncRead + Unpin), b: &mut BytesMut) -> PgMessage { diff --git a/proxy/src/auth/mod.rs b/proxy/src/auth/mod.rs index 2bd7a2da3d..0198cc306e 100644 --- a/proxy/src/auth/mod.rs +++ b/proxy/src/auth/mod.rs @@ -32,7 +32,7 @@ pub(crate) type Result = std::result::Result; #[derive(Debug, Error)] pub(crate) enum AuthError { #[error(transparent)] - Web(#[from] backend::WebAuthError), + ConsoleRedirect(#[from] backend::ConsoleRedirectError), #[error(transparent)] GetAuthInfo(#[from] control_plane::errors::GetAuthInfoError), @@ -115,7 +115,7 @@ impl AuthError { impl UserFacingError for AuthError { fn to_string_client(&self) -> String { match self { - Self::Web(e) => e.to_string_client(), + Self::ConsoleRedirect(e) => e.to_string_client(), Self::GetAuthInfo(e) => e.to_string_client(), Self::Sasl(e) => e.to_string_client(), Self::PasswordFailed(_) => self.to_string(), @@ -135,7 +135,7 @@ impl UserFacingError for AuthError { impl ReportableError for AuthError { fn get_error_kind(&self) -> crate::error::ErrorKind { match self { - Self::Web(e) => e.get_error_kind(), + Self::ConsoleRedirect(e) => e.get_error_kind(), Self::GetAuthInfo(e) => e.get_error_kind(), Self::Sasl(e) => e.get_error_kind(), Self::PasswordFailed(_) => crate::error::ErrorKind::User, diff --git a/proxy/src/bin/local_proxy.rs b/proxy/src/bin/local_proxy.rs index df3628465f..fbdb1dec15 100644 --- a/proxy/src/bin/local_proxy.rs +++ b/proxy/src/bin/local_proxy.rs @@ -281,7 +281,7 @@ fn build_config(args: &LocalProxyCliArgs) -> anyhow::Result<&'static ProxyConfig ip_allowlist_check_enabled: true, is_auth_broker: false, accept_jwts: true, - webauth_confirmation_timeout: Duration::ZERO, + console_redirect_confirmation_timeout: Duration::ZERO, }, proxy_protocol_v2: config::ProxyProtocolV2::Rejected, handshake_timeout: Duration::from_secs(10), diff --git a/proxy/src/bin/proxy.rs b/proxy/src/bin/proxy.rs index efb3747829..fda5b25961 100644 --- a/proxy/src/bin/proxy.rs +++ b/proxy/src/bin/proxy.rs @@ -51,11 +51,11 @@ static GLOBAL: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc; #[derive(Clone, Debug, ValueEnum)] enum AuthBackendType { - Console, - // clap only shows the name, not the alias, in usage text. - // TODO: swap name/alias and deprecate "link" - #[value(name("link"), alias("web"))] - Web, + #[value(name("console"), alias("cplane"))] + ControlPlane, + + #[value(name("link"), alias("control-redirect"))] + ConsoleRedirect, #[cfg(feature = "testing")] Postgres, @@ -71,7 +71,7 @@ struct ProxyCliArgs { /// listen for incoming client connections on ip:port #[clap(short, long, default_value = "127.0.0.1:4432")] proxy: String, - #[clap(value_enum, long, default_value_t = AuthBackendType::Web)] + #[clap(value_enum, long, default_value_t = AuthBackendType::ConsoleRedirect)] auth_backend: AuthBackendType, /// listen for management callback connection on ip:port #[clap(short, long, default_value = "127.0.0.1:7000")] @@ -82,7 +82,7 @@ struct ProxyCliArgs { /// listen for incoming wss connections on ip:port #[clap(long)] wss: Option, - /// redirect unauthenticated users to the given uri in case of web auth + /// redirect unauthenticated users to the given uri in case of console redirect auth #[clap(short, long, default_value = "http://localhost:3000/psql_session/")] uri: String, /// cloud API endpoint for authenticating users @@ -231,6 +231,7 @@ struct ProxyCliArgs { proxy_protocol_v2: ProxyProtocolV2, /// Time the proxy waits for the webauth session to be confirmed by the control plane. + // TODO: rename to `console_redirect_confirmation_timeout`. #[clap(long, default_value = "2m", value_parser = humantime::parse_duration)] webauth_confirmation_timeout: std::time::Duration, } @@ -667,7 +668,7 @@ fn build_config(args: &ProxyCliArgs) -> anyhow::Result<&'static ProxyConfig> { ip_allowlist_check_enabled: !args.is_private_access_proxy, is_auth_broker: args.is_auth_broker, accept_jwts: args.is_auth_broker, - webauth_confirmation_timeout: args.webauth_confirmation_timeout, + console_redirect_confirmation_timeout: args.webauth_confirmation_timeout, }; let config = ProxyConfig { @@ -698,7 +699,7 @@ fn build_auth_backend( args: &ProxyCliArgs, ) -> anyhow::Result, &'static ConsoleRedirectBackend>> { match &args.auth_backend { - AuthBackendType::Console => { + AuthBackendType::ControlPlane => { let wake_compute_cache_config: CacheOptions = args.wake_compute_cache.parse()?; let project_info_cache_config: ProjectInfoCacheOptions = args.project_info_cache.parse()?; @@ -771,7 +772,7 @@ fn build_auth_backend( Ok(Either::Left(config)) } - AuthBackendType::Web => { + AuthBackendType::ConsoleRedirect => { let url = args.uri.parse()?; let backend = ConsoleRedirectBackend::new(url); diff --git a/proxy/src/compute.rs b/proxy/src/compute.rs index d397fc5160..ca4a348ed8 100644 --- a/proxy/src/compute.rs +++ b/proxy/src/compute.rs @@ -135,13 +135,13 @@ impl ConnCfg { /// Apply startup message params to the connection config. pub(crate) fn set_startup_params(&mut self, params: &StartupMessageParams) { // Only set `user` if it's not present in the config. - // Web auth flow takes username from the console's response. + // Console redirect auth flow takes username from the console's response. if let (None, Some(user)) = (self.get_user(), params.get("user")) { self.user(user); } // Only set `dbname` if it's not present in the config. - // Web auth flow takes dbname from the console's response. + // Console redirect auth flow takes dbname from the console's response. if let (None, Some(dbname)) = (self.get_dbname(), params.get("database")) { self.dbname(dbname); } diff --git a/proxy/src/config.rs b/proxy/src/config.rs index f63d7e45aa..b048c9d389 100644 --- a/proxy/src/config.rs +++ b/proxy/src/config.rs @@ -78,7 +78,7 @@ pub struct AuthenticationConfig { pub jwks_cache: JwkCache, pub is_auth_broker: bool, pub accept_jwts: bool, - pub webauth_confirmation_timeout: tokio::time::Duration, + pub console_redirect_confirmation_timeout: tokio::time::Duration, } impl TlsConfig { @@ -271,7 +271,7 @@ impl CertResolver { // auth-broker does not use SNI and instead uses the Neon-Connection-String header. // Auth broker has the subdomain `apiauth` we need to remove for the purposes of validating the Neon-Connection-String. // - // Console Web proxy does not use any wildcard domains and does not need any certificate selection or conn string + // Console Redirect proxy does not use any wildcard domains and does not need any certificate selection or conn string // validation, so let's we can continue with any common-name let common_name = if let Some(s) = common_name.strip_prefix("CN=*.") { s.to_string() diff --git a/proxy/src/context/mod.rs b/proxy/src/context/mod.rs index 2a6c9c5969..6cf99c0c97 100644 --- a/proxy/src/context/mod.rs +++ b/proxy/src/context/mod.rs @@ -75,7 +75,7 @@ struct RequestMonitoringInner { #[derive(Clone, Debug)] pub(crate) enum AuthMethod { // aka passwordless, fka link - Web, + ConsoleRedirect, ScramSha256, ScramSha256Plus, Cleartext, diff --git a/proxy/src/context/parquet.rs b/proxy/src/context/parquet.rs index adbb74c8e5..4112de646f 100644 --- a/proxy/src/context/parquet.rs +++ b/proxy/src/context/parquet.rs @@ -134,7 +134,7 @@ impl From<&RequestMonitoringInner> for RequestData { .as_ref() .and_then(|options| serde_json::to_string(&Options { options }).ok()), auth_method: value.auth_method.as_ref().map(|x| match x { - super::AuthMethod::Web => "web", + super::AuthMethod::ConsoleRedirect => "console_redirect", super::AuthMethod::ScramSha256 => "scram_sha_256", super::AuthMethod::ScramSha256Plus => "scram_sha_256_plus", super::AuthMethod::Cleartext => "cleartext", diff --git a/proxy/src/control_plane/messages.rs b/proxy/src/control_plane/messages.rs index 75c932e6ab..8762ba874b 100644 --- a/proxy/src/control_plane/messages.rs +++ b/proxy/src/control_plane/messages.rs @@ -245,7 +245,7 @@ pub(crate) struct WakeCompute { pub(crate) aux: MetricsAuxInfo, } -/// Async response which concludes the web auth flow. +/// Async response which concludes the console redirect auth flow. /// Also known as `kickResponse` in the console. #[derive(Debug, Deserialize)] pub(crate) struct KickSession<'a> { diff --git a/proxy/src/control_plane/mgmt.rs b/proxy/src/control_plane/mgmt.rs index 5ac3acd28a..2f7359240d 100644 --- a/proxy/src/control_plane/mgmt.rs +++ b/proxy/src/control_plane/mgmt.rs @@ -24,8 +24,8 @@ pub(crate) fn notify(psql_session_id: &str, msg: ComputeReady) -> Result<(), wai CPLANE_WAITERS.notify(psql_session_id, msg) } -/// Console management API listener task. -/// It spawns console response handlers needed for the web auth. +/// Management API listener task. +/// It spawns management response handlers needed for the console redirect auth flow. pub async fn task_main(listener: TcpListener) -> anyhow::Result { scopeguard::defer! { info!("mgmt has shut down"); @@ -43,13 +43,13 @@ pub async fn task_main(listener: TcpListener) -> anyhow::Result { tokio::task::spawn( async move { - info!("serving a new console management API connection"); + info!("serving a new management API connection"); // these might be long running connections, have a separate logging for cancelling // on shutdown and other ways of stopping. let cancelled = scopeguard::guard(tracing::Span::current(), |span| { let _e = span.entered(); - info!("console management API task cancelled"); + info!("management API task cancelled"); }); if let Err(e) = handle_connection(socket).await {