Teleport 16 Web Test Plan

[r0mant]

Web UI

Main

For main, test with a role that has access to all resources.

As you go through testing, click on any links you come across to make sure they work (no 404) and are up to date.

Trusted Cluster (leafs) (@avatus)

• Can add a trusted cluster

The following features should allow users to view resources in trusted clusters.
There should be a cluster dropdown for:

• unified resources
• new access request > resources dropdown
• active sessions
• audit log
• session recordings
• web terminal console view (can get to it by ssh into a node, or route to: /web/cluster/<cluster-name>/console/nodes)
• Can edit and delete a trusted cluster

Top Bar Nav (@rudream)

• Contains Resources (unified resources), Access Management, Access Requests, Active Sessions, Notification Bell and user settings menu

User Settings Menu (@rudream)

• Verify that clicking on the username, user menu dropdown renders:
  • Account Settings (actions should require re-authn with a mfa device)
    • Verify adding very first device or passkey works without requiring re-authentication
    • Can CRUD passkeys (passwordless)
      • Can login with added passkey
    • Can change passwords
      • Can login with changed password
      • Verify that account is locked after several unsuccessful change password attempts
    • Can CRUD MFA devices (test both otp + hardware key)
      • Can login with added device
    • Verify second_factor set to off disables adding devices
    • Recovery codes
      • Cloud only: can read and generate new recovery codes
  • Help & Support
    • Click on all the links and make sure they work (no 404) and are up to date
    • Renders cluster information
    • OSS: Premium support is locked behind a CTA button
  • Can toggle between light and dark theme
    • Theme preference is saved upon relogin

Unified Resources (@avatus )

• Verify that scrolling to the bottom of the page renders more resources
• Verify that all resource types are visible if no filters are present
• Verify that "Search" by (host)name, address, labels works for all resources
• Verify that clicking on Add Resource button correctly sends to the resource discovery page
• Verify pinned resources are saved upon relogin
• Type Server (aka nodes):
  • Verify that "Servers" type shows all joined nodes
  • Verify that "Connect" button shows a list of available logins
  • Verify that terminal opens when clicking on one of the available logins
  • Check agent forwarding is correct based on role and proxy mode.
    • Set forward_agent: true under the options section of your role, and then test that your
      teleport certs show up when you run ssh-add -l on the node.
• Type Application:
  • Verify that the app icons are correctly displayed
  • Verify that filtering types by Application includes applications in the page
  • Verify that the Launch button for applications correctly send to the app
  • Verify that the Launch button for AWS apps correctly renders an IAM role selection window
• Type Database:
  • Verify that the database subtype icons are correctly displayed
  • Verify that filtering types by Databases includes databases in the page
  • Verify that clicking Connect renders the dialog with correct information
• Type Kube:
  • Verify that filtering types by Kubes includes kubes in the page
  • Verify that clicking Connect renders the dialog with correct information
• Type Desktops:
  • Verify that filtering types by Desktops includes desktops in the page
  • Verify that clicking Connect renders a login selection and that the logins are completely in view

Active Sessions

• Verify that it displays the session when session is active
• Verify that "OPTIONS" button allows to join a session as an:
  • Observer
  • Peer
  • Moderator
    • Show instructions on how to terminate the session (t or ctrl + c)
    • OSS: Moderator is locked behind a CTA button

Access Management Side Nav (@rudream)

• Verify that each item on side nav has an icon

Session Recordings (@rudream)

• Verify that it can replay an interactive session
• Session Player:
  • Verify that when playing, scroller auto scrolls to bottom most content
  • Verify that error message is displayed (enter an invalid SID in the URL)

Audit log (@rudream)

• Verify that time range button is shown and works
• Verify event detail dialogue renders when clicking on events details button
• Verify searching by type, description, created works

Users (@rudream)

All actions should require re-authn with a webauthn device.

• Verify that creating and editing a user works
• Verify that removing a user works
• Verify resetting a user's password works
• Verify search by username, roles, and type works

Invite, Reset, and Login Forms (@rudream)

For each, test the invite, reset, and login flows

• Verify that input fields validates
• Verify with second_factor type to off
• Verify with second_factor type to otp, requires otp
• Verify with second_factor type to webauthn, requires hardware key
• Verify with second_factor type to on, requires a MFA device
• Verify that error message is shown if an invite/reset is expired/invalid
• Verify that account is locked after several unsuccessful login attempts

Auth Connectors

For help with setting up auth connectors, check out the [Quick GitHub/SAML/OIDC Setup Tips]

All actions should require re-authn with a webauthn device.

• Verify when there are no connectors, empty state renders
• Verify that creating, editing, and deleting OIDC/SAML/GitHub connectors works
• Verify that login works for GitHub/SAML/OIDC
• Verify that error is shown when saving an invalid YAML
• Verify that correct side hint text and doc link is shown
• Verify that encrypted SAML assertions work with an identity provider that supports it (Azure).
• Verify that created GitHub, SAML, OIDC card has their icons
• OSS only:
  • GitHub is allowed
  • SAML + OIDC are locked behind CTAs

Roles (@rudream)

All actions should require re-authn with a webauthn device.

• Verify that "Create New Role" dialog works
• Verify that deleting and editing works
• Verify that error is shown when saving an invalid YAML
• Verify that correct hint text and doc link are shown

Enroll New Integration (aka Plugins) (@kimlisa)

• All self-hosted plugins and machine id cards link out to the correct docs
• All no-code integrations renders form
• All integrations (except for AWS) can only be enrolled once, a checkmark should render and cards are not clickable anymore (unless you delete it)
• Integrations List
  • Verify the created integrations are shown in the integration list
  • Integrations can be deleted
• AWS External Audit Storage renders only for enterprise cloud
• In OSS for `no-code integrations``:
  • AWS OIDC card is rendered
  • AWS External Audit Storage is also rendered but locked behind a CTA

Enroll new resources using Discover Wizard @kimlisa

Use Discover Wizard to enroll new resources and access them:

• SSH Server (teleport service, singular EC2, SSM agent)
• Self-Hosted PostgreSQL and Mongo
• AWS RDS (singular RDS, auto discover with ECS)
• Kubernetes
• AWS EKS cluster (@AntonAM)
• Non-guided cards link out to correct docs

Access Lists @kimlisa

Not available for OSS

Admin refers to users with access_list RBAC defined:

spec:
  allow:
    rules:
    - resources:
      - access_list
      verbs:
      - list
      - create
      - read
      - update
      - delete

• Renders empty state animation highlighting different features of access lsit
• Admins can create, delete, edit, and review access list
• Owners (WITHOUT access_list RBAC defined) can still review and edit access lists that they are a owner of
• Members can only read access list that they are a member of (edit buttons should be disabled)
• Non members, owners, or admins should not be shown any access list
• Access list reviews due in two weeks or less are listed under notification bell
• (Team) and (On-Prem and Cloud Without IGS addon): Renders CTA on empty state or when there are access lists
• With IGS: Can create unlimited access list

Session & Identity Locks

spec:
  allow:
    rules:
    - resources:
      - lock
      verbs:
      - list
      - create
      - read
      - update
      - delete

• Existing locks listing page.
  • It lists all of the existing locks in the system.
  • Locks without a Locked By and Start Date are still shown with those fields empty.
  • Clicking the trash can deletes the lock with a spinner.
  • Table columns are sortable.
  • Table search field filters the results.
• Adding a new lock. (+ Add New Lock).
  • Target switcher shows the locks for the various target types (User, Role, Login, Node, MFA Device, Windows Desktop, Access Request).
  • Target switcher has "Access Request" in E build but not in OSS.
  • You can add lock targets from multiple target types.
  • Adding a target disables that "add button".
  • You cannot proceed if you haven't selected targets to lock.
  • You can clear the selected targets prior to creating locks.
  • Proceeding to lock opens an animated slide panel from the right.
  • You can remove lock targets from the slide panel.
  • Creating a lock with message and TTL correctly create the lock.
  • Create a lock without message and TTL, they should be optional.

Trusted Devices

• In OSS, locked behind a CTA
• (Team) and (On-Prem and Cloud Without IGS addon): Limited to 5 devices
• With IGS: Can add unlimited devices
• Renders empty state
• Can add and delete trusted devices

Managed Clusters (@avatus)

• Verify that it displays a list of clusters (root + leafs)
• Verify that root is marked with a root pill
• Verify that cluster dropdown menu items goes to the correct route

Access Requests

Not available for OSS

• (Team) and (On-Prem and Cloud Without IGS addon): Limited to 5 monthly requests
• With IGS: Unlimited requests

Access Request Notification Routing Rule (cloud only) @kimlisa

• Test the default integration rule notifies using default settings
• Test creating a custom rule that overwrites the default rule (default recipients should not be notified)
• Test update rule to a different recipient (the previous recipient should not be notified)
• Test email recipient notification works if applicable (eg slack)
• Test a rule with multiple recipients and channels (eg slack)
• Test multiple rules with different condition notifies correctly
• Test deleting all rules, notifications fallbacks to the default (deleted rules should not be notified)
• Test pre-defined predicate expressions from default editor work as match condition

Creating Access Requests (Role Based) (@avatus)

Create a role with limited permissions allow-roles-and-nodes. This role allows you to see the Role screen and ssh into all nodes.

kind: role
metadata:
  name: allow-roles-and-nodes
spec:
  allow:
    logins:
    - root
    node_labels:
      '*': '*'
    rules:
    - resources:
      - role
      verbs:
      - list
      - read
  options:
    max_session_ttl: 8h0m0s
version: v5

Create another role with limited permissions allow-users-with-short-ttl. This role session expires in 4 minutes, allows you to see Users screen, and denies access to all nodes.

kind: role
metadata:
  name: allow-users-with-short-ttl
spec:
  allow:
    rules:
    - resources:
      - user
      verbs:
      - list
      - read
  deny:
    node_labels:
      '*': '*'
  options:
    max_session_ttl: 4m0s
version: v5

Create a user that has no access to anything but allows you to request roles:

kind: role
metadata:
  name: test-role-based-requests
spec:
  allow:
    request:
      roles:
      - allow-roles-and-nodes
      - allow-users-with-short-ttl
      suggested_reviewers:
      - random-user-1
      - random-user-2
version: v5

• Verify that under requestable roles, only allow-roles-and-nodes and allow-users-with-short-ttl are listed
• Verify you can select/input/modify reviewers
• Verify you can view the request you created from request list (should be in pending states)
• Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
• Verify you can't review own requests

Creating Access Requests (Resource Based) (@avatus)

Create a role with access to searcheable resources (apps, db, kubes, nodes, desktops). The template searcheable-resources is below.

kind: role
metadata:
  name: searcheable-resources
spec:
  allow:
    app_labels:  # just example labels
      label1-key: label1-value
      env: [dev, staging]
    db_labels:
      '*': '*'   # asteriks gives user access to everything
    kubernetes_labels:
      '*': '*'
    node_labels:
      '*': '*'
    windows_desktop_labels:
      '*': '*'
version: v5

Create a user that has no access to resources, but allows you to search them:

kind: role
metadata:
  name: test-search-based-requests
spec:
  allow:
    request:
      search_as_roles:
      - searcheable resources
      suggested_reviewers:
      - random-user-1
      - random-user-2
version: v5

• Verify that a user can see resources based on the searcheable-resources rules
• Verify you can select/input/modify reviewers
• Verify you can view the request you created from request list (should be in pending states)
• Verify there is list of reviewers you selected (empty list if none selected AND suggested_reviewers wasn't defined)
• Verify you can't review own requests
• Verify that you can't mix adding resources from different clusters (there should be a warning dialogue that clears the selected list)

Viewing & Approving/Denying Requests (@avatus)

Create a user with the role reviewer that allows you to review all requests, and delete them.

kind: role
version: v3
metadata:
  name: reviewer
spec:
  allow:
    review_requests:
      roles: ['*']

• Verify you can view access request from request list
• Verify you can approve a request with message, and immediately see updated state with your review stamp (green checkmark) and message box
• Verify you can deny a request, and immediately see updated state with your review stamp (red cross)
• Verify deleting the denied request is removed from list

Assuming Approved Requests (Role Based) (@avatus)

• Verify that assuming allow-roles-and-nodes allows you to see roles screen and ssh into nodes
• After assuming allow-roles-and-nodes, verify that assuming allow-users-short-ttl allows you to see users screen, and denies access to nodes
  • Verify a switchback banner is rendered with roles assumed, and count down of when it expires
  • Verify switching back goes back to your default static role
  • Verify after re-assuming allow-users-short-ttl role, the user is automatically logged out after the expiry is met (4 minutes)

Assuming Approved Requests (Search Based) (@avatus)

• Verify that assuming approved request, allows you to see the resources you've requested.

Assuming Approved Requests (Both) (@avatus)

• Verify assume buttons are only present for approved request and for logged in user
• Verify that after clicking on the assume button, it is disabled in both the list and in viewing
• Verify that after re-login, requests that are not expired and are approved are assumable again

Access Request Waiting Room (@avatus)

Strategy Reason

Create the following role:

kind: role
metadata:
  name: waiting-room
spec:
  allow:
    request:
      roles:
      - <some other role to assign user after approval>
  options:
    max_session_ttl: 8h0m0s
    request_access: reason
    request_prompt: <some custom prompt to show in reason dialogue>
version: v3

• Verify after login, reason dialogue is rendered with prompt set to request_prompt setting
• Verify after clicking send request, pending dialogue renders
• Verify after approving a request, dashboard is rendered
• Verify the correct role was assigned

Strategy Always

With the previous role you created from Strategy Reason, change request_access to always:

• Verify after login, pending dialogue is auto rendered
• Verify after approving a request, dashboard is rendered
• Verify after denying a request, access denied dialogue is rendered
• Verify a switchback banner is rendered with roles assumed, and count down of when it expires
• Verify switchback button says Logout and clicking goes back to the login screen

Strategy Optional

With the previous role you created from Strategy Reason, change request_access to optional:

• Verify after login, dashboard is rendered as normal

Web Terminal (aka console) (@rudream)

• Verify that top nav has a user menu (Main and Logout)
• Verify that switching between tabs works with ctrl+[1...9] (alt on linux/windows)
• Update your user role to require_session_mfa and:
  • Verify connecting to a ssh node prompts you to tap your registered WebAuthn key
  • Verify you can still scp upload/download files

Terminal Node List Tab (@rudream)

• Verify that Cluster selector works (URL should change too)
• Verify that "Connect" button shows a list of available logins
• Verify that "Hostname", "Address" and "Labels" columns show the current values
• Verify that "Search" by hostname, address, labels work
• Verify that new tab is created when starting a session

Terminal Session Tab (@rudream)

• Verify that session and browser tabs both show the title with login and node name
• Verify that terminal resize works
  • Install midnight commander on the node you ssh into: $ sudo apt-get install mc
  • Run the program: $ mc
  • Resize the terminal to see if panels resize with it
• Verify that session tab shows/updates number of participants when a new user joins the session
• Verify that tab automatically closes on "$ exit" command
• Verify that SCP Upload works
• Verify that SCP Upload handles invalid paths and network errors
• Verify that SCP Download works
• Verify that SCP Download handles invalid paths and network errors

Cloud (@rudream)

From your cloud staging account, change the field teleportVersion to the test version.

$ kubectl -n <namespace> edit tenant

Dashboard Tenants (self-hosted license)

• Can see download page
• Can download license
• Can download teleport binaries

Recovery Code Management

• Verify generating recovery codes for local accounts with email usernames works
• Verify local accounts with non-email usernames are not able to generate recovery codes
• Verify SSO accounts are not able to generate recovery codes

Invite/Reset

• Verify email as usernames, renders recovery codes dialog
• Verify non email usernames, does not render recovery codes dialog

Recovery Flow: Add new mfa device

• Verify recovering (adding) a new hardware key device with password
• Verify recovering (adding) a new otp device with password
• Verify viewing and deleting any old device (but not the one just added)
• Verify new recovery codes are rendered at the end of flow

Recovery Flow: Change password

• Verify recovering password with any mfa device
• Verify new recovery codes are rendered at the end of flow

Recovery Email

• Verify receiving email for link to start recovery
• Verify receiving email for successfully recovering
• Verify email link is invalid after successful recovery
• Verify receiving email for locked account when max attempts reached

RBAC (@rudream)

Create a role, with no allow.rules defined:

kind: role
metadata:
  name: rbac
spec:
  allow:
    app_labels:
      '*': '*'
    logins:
    - root
    node_labels:
      '*': '*'
  options:
    max_session_ttl: 8h0m0s
version: v3

• Verify that a user has access only to: "Servers", "Applications", "Databases", "Kubernetes", "Active Sessions", "Access Requests" and "Manage Clusters"
• Verify there is no Add Server, Application, Databases, Kubernetes button in each respective view
• Verify only Servers, Apps, Databases, and Kubernetes are listed under options button in Manage Clusters

Note: User has read/create access_request access to their own requests, despite resource settings

Add the following under spec.allow.rules to enable read access to the audit log:

  - resources:
      - event
      verbs:
      - list

• Verify that the Audit Log and Session Recordings is accessible
• Verify that playing a recorded session is denied

Add the following to enable read access to recorded sessions

  - resources:
      - session
      verbs:
      - read

• Verify that a user can re-play a session (session.end)

Add the following to enable read access to the roles

- resources:
      - role
      verbs:
      - list
      - read

• Verify that a user can see the roles
• Verify that a user cannot create/delete/update a role

Add the following to enable read access to the auth connectors

- resources:
      - auth_connector
      verbs:
      - list
      - read

• Verify that a user can see the list of auth connectors.
• Verify that a user cannot create/delete/update the connectors

Add the following to enable read access to users

  - resources:
      - user
      verbs:
      - list
      - read

• Verify that a user can access the "Users" screen
• Verify that a user cannot reset password and create/delete/update a user

Add the following to enable read access to trusted clusters

  - resources:
      - trusted_cluster
      verbs:
      - list
      - read

• Verify that a user can access the "Trust" screen
• Verify that a user cannot create/delete/update a trusted cluster.

Teleport Connect

• Auth methods @ravicious
  • Verify that the app supports clusters using different auth settings
    (auth_service.authentication in the cluster config):
    • type: local, second_factor: "off"
    • type: local, second_factor: "otp"
      • Test per-session MFA items listed later in the test plan.
    • type: local, second_factor: "webauthn",
      • Test per-session MFA items listed later in the test plan.
    • type: local, second_factor: "webauthn", log in passwordlessly with hardware key
    • type: local, second_factor: "webauthn", log in passwordlessly with touch ID
    • type: local, second_factor: "optional", log in without MFA
    • type: local, second_factor: "optional", log in with OTP
    • type: local, second_factor: "optional", log in with hardware key
    • type: local, second_factor: "on", log in with OTP
      • Test per-session MFA items listed later in the test plan.
    • type: local, second_factor: "on", log in with hardware key
    • type: local, second_factor: "on", log in with passwordless auth
    • Verify that the passwordless credential picker works.
      • To make the picker show up, you need to add the same MFA device with passwordless
        capabilities to multiple users.
    • Authentication connectors:
      • For those you might want to use clusters that are deployed on the web, specified in
        parens. Or set up the connectors on a local enterprise cluster following the guide from
        our wiki.
      • GitHub (asteroid)
        • local login on a GitHub-enabled cluster
      • SAML (platform cluster)
      • OIDC (e-demo)
  • Verify that all items from this section work on:
    • macOS
    • Windows
    • Linux
• Shell @gzdunek
  • Verify that the shell is pinned to the correct cluster (for root clusters and leaf
    clusters).
    • That is, opening new shell sessions in other workspaces or other clusters within the same
      workspace should have no impact on the original shell session.
  • Verify that the local shell is opened with correct env vars.
    • TELEPORT_PROXY and TELEPORT_CLUSTER should pin the session to the correct cluster.
    • TELEPORT_HOME should point to ~/Library/Application Support/Teleport Connect/tsh.
    • PATH should include /Applications/Teleport Connect.app/Contents/Resources/bin.
  • Verify that the working directory in the tab title is updated when you change the directory
    (only for local terminals).
  • Verify that terminal resize works for both local and remote shells.
    • Install midnight commander on the node you ssh into: $ sudo apt-get install mc
    • Run the program: $ mc
    • Resize Teleport Connect to see if the panels resize with it
  • Verify that the tab automatically closes on $ exit command.
  • Verify that Connect doesn't leave orphaned processes.
    • Open a local shell session in Connect.
    • Open Activity Monitor, then View -> All Processes, Hierarchically.
    • Locate Teleport Connect. There should be Teleport Connect Helper process with a shell
      process under it.
    • Double-click that shell process to open a window with process details.
    • Close Teleport Connect without closing the tab first.
    • Verify that the separate Activity Monitor window for that process now says "terminated".
  • Verify that all items from this section work on:
    • macOS
    • Windows
    • Linux
• Kubernetes access @ravicious
  • Open a new kubernetes tab, run echo $KUBECONFIG and check if it points to the file within Connect's app data directory.
  • Close the tab and open it again (to the same resource). Verify that the kubeconfig path didn't change.
  • Run kubectl get pods -A and verify that the command succeeds. Then create a pod with
    kubectl apply -f https://k8s.io/examples/application/shell-demo.yaml and exec into it with
    kubectl exec --stdin --tty shell-demo -- /bin/bash. Verify that the shell works.
    • For execing into a pod, you might need to create a ClusterRoleBinding in
      k8s
      for the admin role.
      Then you need to add the k8s group (which maps to the k8s admin role in
      ClusterRoleBinding) to kubernetes_groups of your Teleport role.
    • Repeat the above check for a k8s cluster connected to a leaf cluster.
  • Verify that the kubeconfig file is removed when the user:
    • Removes the connection
    • Logs out of the cluster
    • Closes Teleport Connect
  • Verify that all items from this section work on:
    • macOS
    • Windows
    • Linux
• State restoration from disk @gzdunek
  • Verify that the app asks about restoring previous tabs when launched and restores them
    properly.
  • Verify that the app opens with the cluster that was active when you closed the app.
  • Verify that the app remembers size & position after restart.
    • Verify that this works on:
      • macOS
      • Windows
      • Linux
  • Verify that reopening a cluster that has no workspace
    assigned works.
  • Verify that reopening the app after removing ~/Library/Application Support/Teleport Connect/tsh doesn't crash the app.
  • Verify that reopening the app after removing ~/Library/Application Support/Teleport Connect/app_state.json but not the tsh dir doesn't crash the app.
  • Verify that logging out of a cluster and then logging in to the same cluster doesn't
    remember previous tabs (they should be cleared on logout).
  • Open a db connection tab. Change the db name and port. Close the tab. Restart the app. Open
    connection tracker and choose said db connection from it. Verify that the newly opened tab uses
    the same db name and port.
  • Log in to a cluster. Close the DocumentCluster tab. Open a new DocumentCluster tab. Restart
    the app. Verify that the app doesn't ask you about restoring previous tabs.
• Connections picker @gzdunek
  • Verify that the connections picker shows new connections when ssh & db tabs are opened.
  • Check if those connections are available after the app restart.
  • Check that those connections are removed after you log out of the root cluster that they
    belong to.
  • Verify that reopening a db connection from the connections picker remembers last used port.
• Cluster resources (servers, databases, k8s, apps) @ravicious
  • Verify that the app shows the same resources as the Web UI.
  • Verify that search is working for the resources list.
  • Verify that pagination is working for the resources list.
  • Verify that pagination works in tandem with search, that is verify that search results are
    paginated too.
  • Verify that you can connect to these resources.
    • Verify that this works on:
      • macOS
      • Windows
      • Linux
  • Verify that clicking "Connect" shows available logins and db usernames.
    • Logins and db usernames are taken from the role, under spec.allow.logins and
      spec.allow.db_users.
  • Repeat the above steps for resources in leaf clusters.
• Tabs @gzdunek
  • Verify that tabs have correct titles set.
  • Verify that changing tab position works.
• Shortcuts @ravicious
  • Verify that switching between tabs works on Cmd+[1...9].
  • Verify that other shortcuts are shown after you close all tabs.
  • Verify that the other shortcuts work and each of them is shown on hover on relevant UI
    elements.
  • Verify that all items from this section work on:
    • macOS
    • Windows
    • Linux
• Workspaces & cluster management @gzdunek
  • Verify that logging in to a new cluster adds it to the identity switcher and switches to
    the workspace of that cluster automatically.
  • Verify that the state of the current workspace is preserved when you change the workspace
    (by switching to another cluster) and return to the previous workspace.
  • Click "Add another cluster", provide an address to a cluster that was already added. Verify
    that Connect simply changes the workspace to that of that cluster.
  • Click "Add another cluster", provide an address to a new cluster and submit the form. Close
    the modal when asked for credentials. Verify that the cluster was still added and is visible in
    the profile selector.
• Search bar @gzdunek
  • Verify that you can connect to all three resources types on root clusters and leaf
    clusters.
  • Verify that picking a resource filter and a cluster filter at the same time works as
    expected.
  • Verify that connecting to a resource from a different root cluster switches to the
    workspace of that root cluster.
  • Shut down a root cluster.
    • Verify that attempting to search returns "Some of the search results are incomplete" in
      the search bar.
    • Verify that clicking "Show details" next to the error message and then closing the modal
      by clicking one of the buttons or by pressing Escape does not close the search bar.
  • Log in as a user with a short TTL. Make sure you're not logged in to any other cluster. Wait for
    the cert to expire. Enter a search term that usually returns some results.
    • Relogin when asked. Verify that the search bar is not collapsed and shows search
      results.
    • Close the login modal instead of logging in. Verify that the search bar is not collapsed
      and shows "No matching results found".
• Resilience when resources become unavailable @ravicious
  • DocumentCluster
    • For each scenario, create at least one DocumentCluster tab for each available resource kind.
    • For each scenario, first do the action described in the bullet point, then refetch list of
      resources by entering the search field and pressing enter. Verify that no unrecoverable
      error was raised (that is, the app still works). Then restart the app and verify that it was
      restarted gracefully (no unrecoverable error on restart, the user can continue using the
      app).
      • Stop the root cluster.
      • Stop a leaf cluster.
      • Disconnect your device from the internet.
  • DocumentGateway
    • Verify that you can't open more than one tab for the same db server + username pair.
      Trying to open a second tab with the same pair should just switch you to the already
      existing tab.
    • Create a db connection tab for a given database. Then remove access to that db for that
      user. Go back to Connect and change the database name and port. Both actions should not
      return an error.
    • Open DocumentCluster and make sure a given db is visible on the list of available dbs.
      Click "Connect" to show a list of db users. Now remove access to that db. Go back to Connect
      and choose a username. Verify that a recoverable error is shown and the user can continue
      using the app.
    • Create a db connection, close the app, run tsh proxy db with the same port, start the
      app. Verify that the app doesn't crash and the db connection tab shows you the error
      (address in use) and offers a way to retry creating the connection.
      • Verify that this works on:
        • macOS
        • Windows
        • Linux
• File transfer @gzdunek
  • Download
    • Verify if Connect asks for a path when downloading the file.
    • Verify that invalid paths and network errors are handled.
    • Verify if cancelling the download works.
  • Upload
    • Verify if uploading single/multiple files works.
    • Verify that invalid paths and network errors are handled.
    • Verify if cancelling the upload works.
• Refreshing certs @gzdunek
  • To test scenarios from this section, create a user with a role that has TTL of 1m
    (spec.options.max_session_ttl).
  • Log in, create a db connection and run the CLI command; wait for the cert to expire, make
    another connection to the local db proxy.
    • Verify that the window received focus and a modal login is shown.
      • Verify that this works on:
        • macOS
        • Windows
        • Linux
    • Verify that after successfully logging in:
      • The cluster info is synced.
      • The first connection wasn't dropped; try executing select now();, the client should
        be able to automatically reinstantiate the connection.
      • The database proxy is able to handle new connections; click "Run" in the db tab and
        see if it connects without problems. You might need to resync the cluster again in case
        they managed to expire.
    • Verify that closing the login modal without logging in shows an appropriate error.
  • Log in, create a db connection, then remove access to that db server for that user; wait for
    the cert to expire, then attempt to make a connection through the proxy; log in.
    • Verify that psql shows an appropriate access denied error ("access to db denied. User
      does not have permissions. Confirm database user and name").
  • Log in, open a cluster tab, wait for the cert to expire. Switch from a servers view to
    databases view.
    • Verify that a login modal was shown.
    • Verify that after logging in, the database list is shown.
  • Log in, set up two db connections. Wait for the cert to expire. Attempt to connect to the first
    proxy, then without logging in proceed to connect to the second proxy.
    • Verify that an error notification was shown related to another login attempt being in
      progress.
• Access Requests @ravicious
  • Creating Access Requests (Role Based)
    • To setup a test environment, follow the steps laid out in Created Access Requests (Role Based) from the Web UI testplan and then verify the tasks below.
    • Verify that under requestable roles, only allow-roles-and-nodes and
      allow-users-with-short-ttl are listed
    • Verify you can select/input/modify reviewers
    • Verify you can view the request you created from request list (should be in a pending
      state)
    • Verify there is list of reviewers you selected (empty list if none selected AND
      suggested_reviewers wasn't defined)
    • Verify you can't review own requests
  • Creating Access Requests (Search Based)
    • To setup a test environment, follow the steps laid out in Created Access Requests (Search Based) from the Web UI testplan and then verify the tasks below.
    • Verify that a user can see resources based on the searcheable-resources rules
    • Verify you can select/input/modify reviewers
    • Verify you can view the request you created from request list (should be in a pending
      state)
    • Verify there is list of reviewers you selected (empty list if none selected AND
      suggested_reviewers wasn't defined)
    • Verify you can't review own requests
    • Verify that you can mix adding resources from the root and leaf clusters.
    • Verify that you can't mix roles and resources into the same request.
    • Verify that you can request resources from both the unified view and the search bar.
    • Change proxy_service.ui.show_resources to accessible_only.
      • Verify that you can now only request resources from the new request tab.
  • Viewing & Approving/Denying Requests
    • To setup a test environment, follow the steps laid out in Viewing & Approving/Denying Requests from the Web UI testplan and then verify the tasks below.
    • Verify you can view access request from request list
    • Verify you can approve a request with message, and immediately see updated state with
      your review stamp (green checkmark) and message box
    • Verify you can deny a request, and immediately see updated state with your review stamp
      (red cross)
    • Verify deleting the denied request is removed from list
  • Assuming Approved Requests (Role Based)
    • Verify that assuming allow-roles-and-nodes allows you to see roles screen and ssh into
      nodes
    • After assuming allow-roles-and-nodes, verify that assuming allow-users-short-ttl
      allows you to see users screen, and denies access to nodes
    • Verify a switchback banner is rendered with roles assumed, and count down of when it
      expires
    • Verify switching back goes back to your default static role
    • Verify after re-assuming allow-users-short-ttl role, the user is automatically logged
      out after the expiry is met (4 minutes)
  • Assuming Approved Requests (Search Based)
    • Verify that assuming approved request, allows you to see the resources you've requested.
  • Assuming Approved Requests (Both)
    • Verify assume buttons are only present for approved request and for logged in user
    • Verify that after clicking on the assume button, it is disabled in both the list and in
      viewing
    • Verify that after re-login, requests that are not expired and are approved are assumable
      again
• Configuration @gzdunek
  • Verify that clicking on More Options icon ⋮ > Open Config File opens the app_config.json file in your editor.
    • Verify that this works on:
      • macOS
      • Windows
      • Linux
  • Change a config property and restart the app. Verify that the change has been applied.
    • Change a keyboard shortcut.
    • Change terminal.fontFamily.
  • Provide the same keyboard shortcut for two actions.
    • Verify that a notification is displayed saying that a duplicate shortcut was found.
  • Provide an invalid value for some property (for example, set "keymap.tab1": "ABC").
    • Verify that a notification is displayed saying that the property has an invalid value.
  • Make a syntax error in the file (for example, set "keymap.tab1": not a string).
    • Verify that a notification is displayed saying that the config file was not loaded correctly.
    • Verify that your config changes were not overridden.
• Headless auth @ravicious
  • Headless auth modal in Connect can be triggered by calling tsh ls --headless --user=<username> --proxy=<proxy>. The cluster needs to have webauthn enabled for it to work.
  • Verify the basic operations (approve, reject, ignore then accept in the Web UI).
  • Make a headless request then cancel the command. Verify that the modal in Connect was
    closed automatically.
  • Make a headless request then accept it in the Web UI. Verify that the modal in Connect was
    closed automatically.
  • Make two concurrent headless requests for the same cluster. Verify that Connect shows the
    second one after closing the modal for the first request.
  • Make two concurrent headless requests for two different clusters. Verify that Connect shows
    the second one after closing the modal for the first request.
• Per-session MFA @ravicious
  • The easiest way to test it is to enable cluster-wide per-session
    MFA.
  • Verify that connecting to a Kube cluster prompts for MFA.
    • Re-execute kubectl exec --stdin --tty shell-demo -- /bin/bash mentioned above to
      verify that Kube access is working with MFA.
  • Verify that Connect prompts for MFA during Connect My Computer setup.
• Connect My Computer @gzdunek
  • Verify the happy path from clean slate (no existing role) setup: set up the node and then
    connect to it.
  • Kill the agent while its joining the cluster and verify that the logs from the agent process
    are shown in the UI.
    • The easiest way to do this is by following the agent cleanup daemon logs (tail -F ~/Library/Application\ Support/Teleport\ Connect/logs/cleanup.log) and then kill -s KILL <agent PID>.
    • During setup.
    • After setup in the status view. Verify that the page says that the process exited with
      SIGKILL.
  • Open the node config, change the proxy address to an incorrect one to simulate problems
    with connection. Verify that the app kills the agent after the agent is not able to join the
    cluster within the timeout.
  • Verify autostart behavior. The agent should automatically start on app start unless it was
    manually stopped before exiting the app.
  • Verify that all items from this section work on:
    • macOS
    • Windows
    • Linux
• Verify that logs are collected for all processes (main, renderer, shared, tshd) under
  ~/Library/Application\ Support/Teleport\ Connect/logs.
• Verify that the password from the login form is not saved in the renderer log.
• Log in to a cluster, then log out and log in again as a different user. Verify that the app
  works properly after that.
• Clean the Application Support dir for Connect. Start the latest stable version of the app.
  Open every possible document. Close the app. Start the current alpha. Reopen the tabs. Verify that
  the app was able to reopen the tabs without any errors.

[kimlisa]

FYI, i copied and pasted the latest from this PR: #36846

[gzdunek]

• Click "Add another cluster", provide an address to a cluster that was already added. Verify that Connect simply changes the workspace to that of that cluster.

After doing this, the cluster details that we fetch from the auth server are removed (so for example, the unified view gets stuck in the loading state). We shouldn't overwrite a cluster in the state if it is connected.

[gzdunek]

• Verify if uploading single/multiple files works.
  Uploading multiple files fails when per session MFA is enabled. I suspect it happens because we try to access the hardware key for each upload at the same time:

 FIDO2: Device ioreg://4294975476 failed to open, skipping: open device: internal error webauthncli/fido2.go:690

[avatus]

• Verify if uploading single/multiple files works.
  Uploading multiple files fails when per session MFA is enabled. I suspect it happens because we try to access the hardware key for each upload at the same time:

 FIDO2: Device ioreg://4294975476 failed to open, skipping: open device: internal error webauthncli/fido2.go:690

@capnspacehook i think we removed the ability to upload multiple files when MFA is required. is that correct? If so, we can remove this test plan item

[capnspacehook]

The change that was made was only allowing one in-flight file transfer request at a time for moderated SSH sessions. In non-moderated sessions multiple files should be able to be uploaded whether MFA is required or not AFAIK

[avatus]

Thanks @capnspacehook . @gzdunek , if multiple upload works without MFA, we can check this one off. I'll write an issue to do something along the lines of preventing the UI from allowing multiple upload if MFA is enabled, and/or showing a message to the user stating so. Thanks

[AntonAM]

• EKS Discover enrollment can't download correct chart version for non-standard releases #42335

[gzdunek]

@avatus uploading multiple files works fine when per-session MFA is disabled.

With per-session MFA enabled, Web UI has similar problems to Connect.

• Firefox (the UX is really bad here, the entire browser hangs up, I think it tries to show the webauthn popup, but it can't for some reason):

• Chrome (the webauthn popup was displayed once, but there's still an error):

[ravicious]

• Non blocking Connect My Computer can't download correct agent version for non-standard releases #42348

[ravicious]

• Can't remove resources from access request in Connect when they share the same name but come from different clusters #42352

[ravicious]

• Connect sends "assume role" usage event when dropping access request #42484

[ravicious]

• Search bar doesn't show requestable resources from leaf clusters #42561

[ravicious]

• Connect and Web UI submit access requests with different durations #42562

[gzdunek]

• Connect should not show requestable resources when the user is logged to OSS cluster #42563

[ravicious]

• Non blocking: Deleting an access request does not refresh list of requests in Connect #42564

[avatus]

Can add and delete trusted devices

i cannot add or delete trusted devices via the UI but it doesn't look like we ever could? Devices can be enrolled/removed via tctl (like the web UI says) just fine. So i'll check this. unless any other input on this?