removing error from NewProtoReader return, fixing tests and lint issues

Author: eriktate

lib/auth/init_test.go

@@ -215,6 +215,9 @@ func TestSignatureAlgorithmSuite(t *testing.T) {
 	setupInitConfig := func(t *testing.T, capOrigin string, fips, hsm bool) InitConfig {
 		cfg := setupConfig(t)
 		cfg.FIPS = fips
+		if hsm {
+			cfg.KeyStoreConfig = keystore.HSMTestConfig(t)
+		}
 		cfg.AuthPreference.SetOrigin(capOrigin)
 		if capOrigin != types.OriginDefaults {
 			cfg.AuthPreference.SetSignatureAlgorithmSuite(types.SignatureAlgorithmSuite_SIGNATURE_ALGORITHM_SUITE_UNSPECIFIED)

lib/auth/recordingencryption/clusterconfig.go

@@ -1,10 +1,27 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 package recordingencryption
 
 import (
 	"context"
 
 	"github.com/gravitational/trace"
 
+	recordingencryptionv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/recordingencryption/v1"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/services"
 )
@@ -26,45 +43,63 @@ func NewClusterConfigService(service services.ClusterConfigurationInternal, reso
 
 // CreateSessionRecordingConfig evaluates RecordingEncryption state before creating the SessionRecordingConfig.
 func (s *ClusterConfigService) CreateSessionRecordingConfig(ctx context.Context, cfg types.SessionRecordingConfig) (types.SessionRecordingConfig, error) {
-	if cfg.GetEncrypted() {
-		encryption, err := s.resolver.ResolveRecordingEncryption(ctx)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
+	if !cfg.GetEncrypted() {
+		res, err := s.ClusterConfigurationInternal.CreateSessionRecordingConfig(ctx, cfg)
+		return res, trace.Wrap(err)
+	}
 
-		cfg.SetEncryptionKeys(GetAgeEncryptionKeys(encryption.GetSpec().ActiveKeys))
+	var res types.SessionRecordingConfig
+	_, err := s.resolver.ResolveRecordingEncryption(ctx, func(ctx context.Context, encryption *recordingencryptionv1.RecordingEncryption) error {
+		cfg.SetEncryptionKeys(getAgeEncryptionKeys(encryption.GetSpec().ActiveKeys))
+		var err error
+		res, err = s.ClusterConfigurationInternal.CreateSessionRecordingConfig(ctx, cfg)
+		return err
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
 	}
 
-	res, err := s.ClusterConfigurationInternal.CreateSessionRecordingConfig(ctx, cfg)
-	return res, trace.Wrap(err)
+	return res, nil
 }
 
 // UpdateSessionRecordingConfig evaluates RecordingEncryption state before updating the SessionRecordingConfig.
-func (r *ClusterConfigService) UpdateSessionRecordingConfig(ctx context.Context, cfg types.SessionRecordingConfig) (types.SessionRecordingConfig, error) {
-	if cfg.GetEncrypted() {
-		encryption, err := r.resolver.ResolveRecordingEncryption(ctx)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
+func (s *ClusterConfigService) UpdateSessionRecordingConfig(ctx context.Context, cfg types.SessionRecordingConfig) (types.SessionRecordingConfig, error) {
+	if !cfg.GetEncrypted() {
+		res, err := s.ClusterConfigurationInternal.UpdateSessionRecordingConfig(ctx, cfg)
+		return res, trace.Wrap(err)
+	}
 
-		cfg.SetEncryptionKeys(GetAgeEncryptionKeys(encryption.GetSpec().ActiveKeys))
+	var res types.SessionRecordingConfig
+	_, err := s.resolver.ResolveRecordingEncryption(ctx, func(ctx context.Context, encryption *recordingencryptionv1.RecordingEncryption) error {
+		cfg.SetEncryptionKeys(getAgeEncryptionKeys(encryption.GetSpec().ActiveKeys))
+		var err error
+		res, err = s.ClusterConfigurationInternal.UpdateSessionRecordingConfig(ctx, cfg)
+		return err
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
 	}
 
-	res, err := r.ClusterConfigurationInternal.UpdateSessionRecordingConfig(ctx, cfg)
-	return res, trace.Wrap(err)
+	return res, nil
 }
 
 // UpsertSessionRecordingConfig evaluates RecordingEncryption state before upserting the SessionRecordingConfig.
-func (r *ClusterConfigService) UpsertSessionRecordingConfig(ctx context.Context, cfg types.SessionRecordingConfig) (types.SessionRecordingConfig, error) {
-	if cfg.GetEncrypted() {
-		encryption, err := r.resolver.ResolveRecordingEncryption(ctx)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
+func (s *ClusterConfigService) UpsertSessionRecordingConfig(ctx context.Context, cfg types.SessionRecordingConfig) (types.SessionRecordingConfig, error) {
+	if !cfg.GetEncrypted() {
+		res, err := s.ClusterConfigurationInternal.UpsertSessionRecordingConfig(ctx, cfg)
+		return res, trace.Wrap(err)
+	}
 
-		cfg.SetEncryptionKeys(GetAgeEncryptionKeys(encryption.GetSpec().ActiveKeys))
+	var res types.SessionRecordingConfig
+	_, err := s.resolver.ResolveRecordingEncryption(ctx, func(ctx context.Context, encryption *recordingencryptionv1.RecordingEncryption) error {
+		cfg.SetEncryptionKeys(getAgeEncryptionKeys(encryption.GetSpec().ActiveKeys))
+		var err error
+		res, err = s.ClusterConfigurationInternal.UpsertSessionRecordingConfig(ctx, cfg)
+		return err
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
 	}
 
-	res, err := r.ClusterConfigurationInternal.UpsertSessionRecordingConfig(ctx, cfg)
-	return res, trace.Wrap(err)
+	return res, nil
 }

lib/auth/recordingencryption/encryptedio.go

@@ -1,12 +1,27 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 package recordingencryption
 
 import (
 	"context"
 	"io"
 
-	"github.com/gravitational/trace"
-
 	"filippo.io/age"
+	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport/api/types"
 )

lib/auth/recordingencryption/encryptedio_test.go

@@ -1,3 +1,19 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
 package recordingencryption_test
 
 import (
@@ -34,6 +50,7 @@ func TestEncryptedIO(t *testing.T) {
 
 	msg := []byte("testing encrypted IO")
 	_, err = writer.Write(msg)
+	require.NoError(t, err)
 
 	// writer must be closed to ensure data is flushed
 	err = writer.Close()

lib/auth/recordingencryption/watcher.go

@@ -66,7 +66,7 @@ func NewWatcher(cfg WatchConfig) (*Watcher, error) {
 		return nil, trace.BadParameter("cluster config backend is required")
 	}
 	if cfg.Logger == nil {
-		cfg.Logger = slog.With(teleport.ComponentKey, "encryption-watcher")
+		cfg.Logger = slog.With(teleport.ComponentKey, "recording-encryption-watcher")
 	}
 
 	return &Watcher{

lib/client/player.go

@@ -51,11 +51,7 @@ func (p *playFromFileStreamer) StreamSessionEvents(
 		}
 		defer f.Close()
 
-		pr, err := events.NewProtoReader(f, nil)
-		if err != nil {
-			errs <- trace.Wrap(err)
-			return
-		}
+		pr := events.NewProtoReader(f, nil)
 
 		for i := int64(0); ; i++ {
 			evt, err := pr.Read(ctx)

lib/events/auditlog.go

@@ -579,11 +579,7 @@ func (l *AuditLog) StreamSessionEvents(ctx context.Context, sessionID session.ID
 			return
 		}
 
-		protoReader, err := NewProtoReader(rawSession, l.decrypter)
-		if err != nil {
-			e <- trace.Wrap(err)
-			return
-		}
+		protoReader := NewProtoReader(rawSession, l.decrypter)
 		defer protoReader.Close()
 
 		firstEvent := true

lib/events/emitter_test.go

@@ -108,8 +108,7 @@ func TestProtoStreamer(t *testing.T) {
 			require.NoError(t, err)
 
 			for _, part := range parts {
-				reader, err := events.NewProtoReader(bytes.NewReader(part), nil)
-				require.NoError(t, err)
+				reader := events.NewProtoReader(bytes.NewReader(part), nil)
 				out, err := reader.ReadAll(ctx)
 				require.NoError(t, err, "part crash %#v", part)
 				outEvents = append(outEvents, out...)
@@ -257,8 +256,7 @@ func TestExport(t *testing.T) {
 		_, err := f.Write(part)
 		require.NoError(t, err)
 	}
-	reader, err := events.NewProtoReader(io.MultiReader(readers...), nil)
-	require.NoError(t, err)
+	reader := events.NewProtoReader(io.MultiReader(readers...), nil)
 	outEvents, err := reader.ReadAll(ctx)
 	require.NoError(t, err)
 

lib/events/filesessions/fileasync.go

@@ -439,11 +439,7 @@ func (u *Uploader) startUpload(ctx context.Context, fileName string) (err error)
 		return trace.Wrap(err, "uploader could not acquire file lock for %q", sessionFilePath)
 	}
 
-	protoReader, err := events.NewProtoReader(sessionFile, nil)
-	if err != nil {
-		return trace.Wrap(err)
-	}
-
+	protoReader := events.NewProtoReader(sessionFile, nil)
 	upload := &upload{
 		sessionID:    sessionID,
 		reader:       protoReader,

lib/events/filesessions/fileasync_test.go

@@ -669,7 +669,7 @@ func readStream(ctx context.Context, t *testing.T, uploadID string, uploader *ev
 	var reader *events.ProtoReader
 	for i, part := range parts {
 		if i == 0 {
-			reader = events.NewProtoReader(bytes.NewReader(part))
+			reader = events.NewProtoReader(bytes.NewReader(part), nil)
 		} else {
 			err := reader.Reset(bytes.NewReader(part))
 			require.NoError(t, err)

lib/events/playback.go

@@ -53,7 +53,7 @@ func DetectFormat(r io.ReadSeeker) (*Header, error) {
 		return nil, trace.ConvertSystemError(err)
 	}
 	protocolVersion := binary.BigEndian.Uint64(version)
-	if protocolVersion == ProtoStreamV1 {
+	if protocolVersion >= ProtoStreamV1 && protocolVersion <= ProtoStreamV2 {
 		return &Header{
 			Proto:        true,
 			ProtoVersion: int64(protocolVersion),
@@ -83,11 +83,7 @@ func Export(ctx context.Context, rs io.ReadSeeker, w io.Writer, exportFormat str
 	}
 	switch {
 	case format.Proto:
-		protoReader, err := NewProtoReader(rs, nil)
-		if err != nil {
-			return trace.Wrap(err)
-		}
-
+		protoReader := NewProtoReader(rs, nil)
 		for {
 			event, err := protoReader.Read(ctx)
 			if err != nil {

lib/events/session_writer_test.go

@@ -74,8 +74,7 @@ func TestSessionWriter(t *testing.T) {
 		require.NoError(t, err)
 
 		for _, part := range parts {
-			reader, err := events.NewProtoReader(bytes.NewReader(part), nil)
-			require.NoError(t, err)
+			reader := events.NewProtoReader(bytes.NewReader(part), nil)
 			out, err := reader.ReadAll(test.ctx)
 			require.NoError(t, err, "part crash %#v", part)
 			outEvents = append(outEvents, out...)
@@ -421,8 +420,7 @@ func (a *sessionWriterTest) collectEvents(t *testing.T) []apievents.AuditEvent {
 	for _, part := range parts {
 		readers = append(readers, bytes.NewReader(part))
 	}
-	reader, err := events.NewProtoReader(io.MultiReader(readers...), nil)
-	require.NoError(t, err)
+	reader := events.NewProtoReader(io.MultiReader(readers...), nil)
 	outEvents, err := reader.ReadAll(a.ctx)
 	require.NoError(t, err, "failed to read")
 	t.Logf("Reader stats :%v", reader.GetStats().ToFields())

lib/events/stream.go

@@ -91,12 +91,12 @@ const (
 	// of the record header, it consists of the record length
 	ProtoStreamV1RecordHeaderSize = Int32Size
 
+	// AgeHeader prefixes all encrypted recording parts
+	AgeHeader = "age-encryption.org/"
+
 	// uploaderReservePartErrorMessage error message present when
 	// `ReserveUploadPart` fails.
 	uploaderReservePartErrorMessage = "uploader failed to reserve upload part"
-
-	// ageHeader prefixes all encrypted recording parts
-	ageHeader = "age-encryption.org/"
 )
 
 // An EncryptionWrapper wraps a given io.WriteCloser with encryption.
@@ -930,7 +930,7 @@ func (s *slice) reader() (io.ReadSeeker, error) {
 		s.buffer.Write(padding)
 	}
 	data := s.buffer.Bytes()
-	encrypted := slices.Equal(data[ProtoStreamV2PartHeaderSize:ProtoStreamV2PartHeaderSize+len(ageHeader)], []byte(ageHeader))
+	encrypted := slices.Equal(data[ProtoStreamV2PartHeaderSize:ProtoStreamV2PartHeaderSize+len(AgeHeader)], []byte(AgeHeader))
 	// when the slice was created, the first bytes were reserved
 	// for the protocol version number and size of the slice in bytes
 	binary.BigEndian.PutUint64(data[0:], ProtoStreamV2)
@@ -998,12 +998,12 @@ func (s *slice) recordEvent(event protoEvent) error {
 }
 
 // NewProtoReader returns a new proto reader with slice pool
-func NewProtoReader(r io.Reader, decrypter DecryptionWrapper) (*ProtoReader, error) {
+func NewProtoReader(r io.Reader, decrypter DecryptionWrapper) *ProtoReader {
 	return &ProtoReader{
 		reader:    r,
 		lastIndex: -1,
 		decrypter: decrypter,
-	}, nil
+	}
 }
 
 // SessionReader provides method to read
@@ -1156,6 +1156,9 @@ func (r *ProtoReader) Read(ctx context.Context) (apievents.AuditEvent, error) {
 			var encrypted bool
 			if protocolVersion > 1 {
 				_, err = io.ReadFull(r.reader, r.sizeBytes[:Int64Size])
+				if err != nil {
+					return nil, r.setError(trace.ConvertSystemError(err))
+				}
 				flags := r.sizeBytes[0]
 				encrypted = flags&ProtoStreamFlagEncrypted != 0
 			}