Refactor tctl InitFunc to return an authclient.ClientI

Returning the interface from the InitFunc allows tests to better
mock the auth client, which permits tests to be run without an
actual teleport process being launched.

The ClientI interface was also extended with additional methods
that tctl was already relying on.

lib/auth/authclient/clt.go

@@ -20,6 +20,7 @@ package authclient
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net"
@@ -41,8 +42,10 @@ import (
 	"github.com/gravitational/teleport/api/client/usertask"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	accessgraphsecretsv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/accessgraph/v1"
+	autoupdatev1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/autoupdate/v1"
 	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
 	dbobjectimportrulev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobjectimportrule/v1"
+	decisionv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1"
 	devicepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1"
 	identitycenterv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1"
 	integrationv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
@@ -56,6 +59,7 @@ import (
 	trustpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/trust/v1"
 	userspb "github.com/gravitational/teleport/api/gen/proto/go/teleport/users/v1"
 	"github.com/gravitational/teleport/api/gen/proto/go/teleport/vnet/v1"
+	workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
 	userpreferencesv1 "github.com/gravitational/teleport/api/gen/proto/go/userpreferences/v1"
 	"github.com/gravitational/teleport/api/mfa"
 	"github.com/gravitational/teleport/api/types"
@@ -1826,6 +1830,9 @@ type ClientI interface {
 	// when calling this method, but all RPCs will return "not implemented" errors
 	// (as per the default gRPC behavior).
 	WorkloadIdentityServiceClient() machineidv1pb.WorkloadIdentityServiceClient
+	SPIFFEFederationServiceClient() machineidv1pb.SPIFFEFederationServiceClient
+	WorkloadIdentityResourceServiceClient() workloadidentityv1pb.WorkloadIdentityResourceServiceClient
+	WorkloadIdentityIssuanceClient() workloadidentityv1pb.WorkloadIdentityIssuanceServiceClient
 
 	// NotificationServiceClient returns a notification service client.
 	// Clients connecting to  older Teleport versions, still get a client
@@ -1903,4 +1910,29 @@ type ClientI interface {
 
 	// GitServerReadOnlyClient returns the read-only client for Git servers.
 	GitServerReadOnlyClient() gitserver.ReadOnlyClient
+
+	DecisionClient() decisionv1.DecisionServiceClient
+
+	SetMFAPromptConstructor(pc mfa.PromptConstructor)
+
+	CreateAutoUpdateConfig(ctx context.Context, config *autoupdatev1pb.AutoUpdateConfig) (*autoupdatev1pb.AutoUpdateConfig, error)
+	UpdateAutoUpdateConfig(ctx context.Context, config *autoupdatev1pb.AutoUpdateConfig) (*autoupdatev1pb.AutoUpdateConfig, error)
+	UpsertAutoUpdateConfig(ctx context.Context, config *autoupdatev1pb.AutoUpdateConfig) (*autoupdatev1pb.AutoUpdateConfig, error)
+	DeleteAutoUpdateConfig(ctx context.Context) error
+
+	CreateAutoUpdateVersion(ctx context.Context, config *autoupdatev1pb.AutoUpdateVersion) (*autoupdatev1pb.AutoUpdateVersion, error)
+	UpdateAutoUpdateVersion(ctx context.Context, config *autoupdatev1pb.AutoUpdateVersion) (*autoupdatev1pb.AutoUpdateVersion, error)
+	UpsertAutoUpdateVersion(ctx context.Context, config *autoupdatev1pb.AutoUpdateVersion) (*autoupdatev1pb.AutoUpdateVersion, error)
+	DeleteAutoUpdateVersion(ctx context.Context) error
+
+	CreateAutoUpdateAgentRollout(ctx context.Context, config *autoupdatev1pb.AutoUpdateAgentRollout) (*autoupdatev1pb.AutoUpdateAgentRollout, error)
+	UpdateAutoUpdateAgentRollout(ctx context.Context, config *autoupdatev1pb.AutoUpdateAgentRollout) (*autoupdatev1pb.AutoUpdateAgentRollout, error)
+	UpsertAutoUpdateAgentRollout(ctx context.Context, config *autoupdatev1pb.AutoUpdateAgentRollout) (*autoupdatev1pb.AutoUpdateAgentRollout, error)
+	DeleteAutoUpdateAgentRollout(cxt context.Context) error
+
+	GetDesktopBootstrapScript(ctx context.Context) (string, error)
+
+	CrownJewelsClient() services.CrownJewels
+	UserTasksClient() services.UserTasks
+	Config() *tls.Config
 }

tool/tctl/common/access_request_command.go

@@ -128,7 +128,7 @@ func (c *AccessRequestCommand) Initialize(app *kingpin.Application, _ *tctlcfg.G
 
 // TryRun takes the CLI command as an argument (like "access-request list") and executes it.
 func (c *AccessRequestCommand) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
-	var commandFunc func(ctx context.Context, client *authclient.Client) error
+	var commandFunc func(ctx context.Context, client authclient.ClientI) error
 	switch cmd {
 	case c.requestList.FullCommand():
 		commandFunc = c.List
@@ -160,7 +160,7 @@ func (c *AccessRequestCommand) TryRun(ctx context.Context, cmd string, clientFun
 	return true, trace.Wrap(err)
 }
 
-func (c *AccessRequestCommand) List(ctx context.Context, client *authclient.Client) error {
+func (c *AccessRequestCommand) List(ctx context.Context, client authclient.ClientI) error {
 	var index proto.AccessRequestSort
 	switch c.sortIndex {
 	case "created":
@@ -203,7 +203,7 @@ func (c *AccessRequestCommand) List(ctx context.Context, client *authclient.Clie
 	return nil
 }
 
-func (c *AccessRequestCommand) Get(ctx context.Context, client *authclient.Client) error {
+func (c *AccessRequestCommand) Get(ctx context.Context, client authclient.ClientI) error {
 	reqs := []types.AccessRequest{}
 	for _, reqID := range strings.Split(c.reqIDs, ",") {
 		req, err := client.GetAccessRequests(ctx, types.AccessRequestFilter{
@@ -258,7 +258,7 @@ func (c *AccessRequestCommand) splitRoles() []string {
 	return roles
 }
 
-func (c *AccessRequestCommand) Approve(ctx context.Context, client *authclient.Client) error {
+func (c *AccessRequestCommand) Approve(ctx context.Context, client authclient.ClientI) error {
 	if c.delegator != "" {
 		ctx = authz.WithDelegator(ctx, c.delegator)
 	}
@@ -289,7 +289,7 @@ func (c *AccessRequestCommand) Approve(ctx context.Context, client *authclient.C
 	return nil
 }
 
-func (c *AccessRequestCommand) Deny(ctx context.Context, client *authclient.Client) error {
+func (c *AccessRequestCommand) Deny(ctx context.Context, client authclient.ClientI) error {
 	if c.delegator != "" {
 		ctx = authz.WithDelegator(ctx, c.delegator)
 	}
@@ -310,7 +310,7 @@ func (c *AccessRequestCommand) Deny(ctx context.Context, client *authclient.Clie
 	return nil
 }
 
-func (c *AccessRequestCommand) Create(ctx context.Context, client *authclient.Client) error {
+func (c *AccessRequestCommand) Create(ctx context.Context, client authclient.ClientI) error {
 	if len(c.roles) == 0 && len(c.requestedResourceIDs) == 0 {
 		c.roles = "*"
 	}
@@ -326,10 +326,10 @@ func (c *AccessRequestCommand) Create(ctx context.Context, client *authclient.Cl
 
 	if c.dryRun {
 		users := &struct {
-			*authclient.Client
+			authclient.ClientI
 			services.UserLoginStatesGetter
 		}{
-			Client:                client,
+			ClientI:               client,
 			UserLoginStatesGetter: client.UserLoginStateClient(),
 		}
 		err = services.ValidateAccessRequestForUser(ctx, clockwork.NewRealClock(), users, req, tlsca.Identity{}, services.ExpandVars(true))
@@ -346,7 +346,7 @@ func (c *AccessRequestCommand) Create(ctx context.Context, client *authclient.Cl
 	return nil
 }
 
-func (c *AccessRequestCommand) Delete(ctx context.Context, client *authclient.Client) error {
+func (c *AccessRequestCommand) Delete(ctx context.Context, client authclient.ClientI) error {
 	var approvedTokens []string
 	for _, reqID := range strings.Split(c.reqIDs, ",") {
 		// Fetch the requests first to see if they were approved to provide the
@@ -386,7 +386,7 @@ func (c *AccessRequestCommand) Delete(ctx context.Context, client *authclient.Cl
 	return nil
 }
 
-func (c *AccessRequestCommand) Caps(ctx context.Context, client *authclient.Client) error {
+func (c *AccessRequestCommand) Caps(ctx context.Context, client authclient.ClientI) error {
 	caps, err := client.GetAccessCapabilities(ctx, types.AccessCapabilitiesRequest{
 		User:               c.user,
 		RequestableRoles:   true,
@@ -422,7 +422,7 @@ func (c *AccessRequestCommand) Caps(ctx context.Context, client *authclient.Clie
 	}
 }
 
-func (c *AccessRequestCommand) Review(ctx context.Context, client *authclient.Client) error {
+func (c *AccessRequestCommand) Review(ctx context.Context, client authclient.ClientI) error {
 	if c.approve == c.deny {
 		return trace.BadParameter("must supply exactly one of '--approve' or '--deny'")
 	}

tool/tctl/common/accessmonitoring/command.go

@@ -114,7 +114,7 @@ func (c *Command) initAuditReportsCommands(auditCmd *kingpin.CmdClause, cfg *ser
 	})
 }
 
-type runFunc func(context.Context, *authclient.Client) error
+type runFunc func(context.Context, authclient.ClientI) error
 
 func (c *Command) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
 	handler, ok := c.innerCmdMap[cmd]
@@ -136,7 +136,7 @@ func (c *Command) TryRun(ctx context.Context, cmd string, clientFunc commonclien
 	}
 }
 
-func (c *cmdHandler) onAuditQueryExec(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditQueryExec(ctx context.Context, authClient authclient.ClientI) error {
 	if c.auditQuery == "" {
 		buff, err := io.ReadAll(os.Stdin)
 		if err != nil {
@@ -154,7 +154,7 @@ func (c *cmdHandler) onAuditQueryExec(ctx context.Context, authClient *authclien
 	return nil
 }
 
-func (c *cmdHandler) onAuditQueryGet(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditQueryGet(ctx context.Context, authClient authclient.ClientI) error {
 	auditQuery, err := authClient.SecReportsClient().GetSecurityAuditQuery(ctx, c.name)
 	if err != nil {
 		return trace.Wrap(err)
@@ -165,7 +165,7 @@ func (c *cmdHandler) onAuditQueryGet(ctx context.Context, authClient *authclient
 	return nil
 }
 
-func (c *cmdHandler) onAuditQueryLs(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditQueryLs(ctx context.Context, authClient authclient.ClientI) error {
 	auditQueries, err := authClient.SecReportsClient().GetSecurityAuditQueries(ctx)
 	if err != nil {
 		return trace.Wrap(err)
@@ -176,14 +176,14 @@ func (c *cmdHandler) onAuditQueryLs(ctx context.Context, authClient *authclient.
 	return nil
 }
 
-func (c *cmdHandler) onAuditQueryRm(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditQueryRm(ctx context.Context, authClient authclient.ClientI) error {
 	if err := authClient.SecReportsClient().DeleteSecurityAuditQuery(ctx, c.name); err != nil {
 		return trace.Wrap(err)
 	}
 	return nil
 }
 
-func (c *cmdHandler) onAuditQuerySchema(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditQuerySchema(ctx context.Context, authClient authclient.ClientI) error {
 	resp, err := authClient.SecReportsClient().GetSchema(ctx)
 	if err != nil {
 		return trace.Wrap(err)
@@ -201,7 +201,7 @@ func (c *cmdHandler) onAuditQuerySchema(ctx context.Context, authClient *authcli
 	return nil
 }
 
-func (c *cmdHandler) onAuditQueryCreate(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditQueryCreate(ctx context.Context, authClient authclient.ClientI) error {
 	if c.auditQuery == "" {
 		return trace.BadParameter("audit query required")
 	}
@@ -221,7 +221,7 @@ func (c *cmdHandler) onAuditQueryCreate(ctx context.Context, authClient *authcli
 	return nil
 }
 
-func (c *cmdHandler) onAuditReportLs(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditReportLs(ctx context.Context, authClient authclient.ClientI) error {
 	reports, err := authClient.SecReportsClient().GetSecurityReports(ctx)
 	if err != nil {
 		return trace.Wrap(err)
@@ -232,7 +232,7 @@ func (c *cmdHandler) onAuditReportLs(ctx context.Context, authClient *authclient
 	return trace.Wrap(err)
 }
 
-func (c *cmdHandler) onAuditReportGet(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditReportGet(ctx context.Context, authClient authclient.ClientI) error {
 	details, err := authClient.SecReportsClient().GetSecurityReportResult(ctx, c.name, c.days)
 	if err != nil {
 		return trace.Wrap(err)
@@ -243,15 +243,15 @@ func (c *cmdHandler) onAuditReportGet(ctx context.Context, authClient *authclien
 	return nil
 }
 
-func (c *cmdHandler) onAuditReportRun(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditReportRun(ctx context.Context, authClient authclient.ClientI) error {
 	err := authClient.SecReportsClient().RunSecurityReport(ctx, c.name, c.days)
 	if err != nil {
 		return trace.Wrap(err)
 	}
 	return nil
 }
 
-func (c *cmdHandler) onAuditReportState(ctx context.Context, authClient *authclient.Client) error {
+func (c *cmdHandler) onAuditReportState(ctx context.Context, authClient authclient.ClientI) error {
 	state, err := authClient.SecReportsClient().GetSecurityReportExecutionState(ctx, c.name, int32(c.days))
 	if err != nil {
 		return trace.Wrap(err)

tool/tctl/common/acl_command.go

@@ -96,7 +96,7 @@ func (c *ACLCommand) Initialize(app *kingpin.Application, _ *tctlcfg.GlobalCLIFl
 
 // TryRun takes the CLI command as an argument (like "acl ls") and executes it.
 func (c *ACLCommand) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
-	var commandFunc func(ctx context.Context, client *authclient.Client) error
+	var commandFunc func(ctx context.Context, client authclient.ClientI) error
 	switch cmd {
 	case c.ls.FullCommand():
 		commandFunc = c.List
@@ -122,7 +122,7 @@ func (c *ACLCommand) TryRun(ctx context.Context, cmd string, clientFunc commoncl
 }
 
 // List will list access lists visible to the user.
-func (c *ACLCommand) List(ctx context.Context, client *authclient.Client) error {
+func (c *ACLCommand) List(ctx context.Context, client authclient.ClientI) error {
 	var accessLists []*accesslist.AccessList
 	var nextKey string
 	for {
@@ -149,7 +149,7 @@ func (c *ACLCommand) List(ctx context.Context, client *authclient.Client) error
 }
 
 // Get will display information about an access list visible to the user.
-func (c *ACLCommand) Get(ctx context.Context, client *authclient.Client) error {
+func (c *ACLCommand) Get(ctx context.Context, client authclient.ClientI) error {
 	accessList, err := client.AccessListClient().GetAccessList(ctx, c.accessListName)
 	if err != nil {
 		return trace.Wrap(err)
@@ -159,7 +159,7 @@ func (c *ACLCommand) Get(ctx context.Context, client *authclient.Client) error {
 }
 
 // UsersAdd will add a user to an access list.
-func (c *ACLCommand) UsersAdd(ctx context.Context, client *authclient.Client) error {
+func (c *ACLCommand) UsersAdd(ctx context.Context, client authclient.ClientI) error {
 	var expires time.Time
 	if c.expires != "" {
 		var err error
@@ -205,7 +205,7 @@ func (c *ACLCommand) UsersAdd(ctx context.Context, client *authclient.Client) er
 }
 
 // UsersRemove will remove a user to an access list.
-func (c *ACLCommand) UsersRemove(ctx context.Context, client *authclient.Client) error {
+func (c *ACLCommand) UsersRemove(ctx context.Context, client authclient.ClientI) error {
 	err := client.AccessListClient().DeleteAccessListMember(ctx, c.accessListName, c.userName)
 	if err != nil {
 		return trace.Wrap(err)
@@ -217,7 +217,7 @@ func (c *ACLCommand) UsersRemove(ctx context.Context, client *authclient.Client)
 }
 
 // UsersList will list the users in an access list.
-func (c *ACLCommand) UsersList(ctx context.Context, client *authclient.Client) error {
+func (c *ACLCommand) UsersList(ctx context.Context, client authclient.ClientI) error {
 	var (
 		allMembers []*accesslist.AccessListMember
 		nextToken  string

tool/tctl/common/admin_action_test.go

@@ -1163,7 +1163,7 @@ func runTestCase(t *testing.T, ctx context.Context, client *authclient.Client, t
 	commandName, err := app.Parse(args)
 	require.NoError(t, err)
 
-	match, err := tc.cliCommand.TryRun(ctx, commandName, func(context.Context) (*authclient.Client, func(context.Context), error) {
+	match, err := tc.cliCommand.TryRun(ctx, commandName, func(context.Context) (authclient.ClientI, func(context.Context), error) {
 		return client, func(context.Context) {}, nil
 	})
 	require.True(t, match)

tool/tctl/common/alert_command.go

@@ -96,7 +96,7 @@ func (c *AlertCommand) Initialize(app *kingpin.Application, _ *tctlcfg.GlobalCLI
 
 // TryRun takes the CLI command as an argument (like "alerts ls") and executes it.
 func (c *AlertCommand) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
-	var commandFunc func(ctx context.Context, client *authclient.Client) error
+	var commandFunc func(ctx context.Context, client authclient.ClientI) error
 	switch cmd {
 	case c.alertList.FullCommand():
 		commandFunc = c.List
@@ -117,7 +117,7 @@ func (c *AlertCommand) TryRun(ctx context.Context, cmd string, clientFunc common
 	return true, trace.Wrap(err)
 }
 
-func (c *AlertCommand) ListAck(ctx context.Context, client *authclient.Client) error {
+func (c *AlertCommand) ListAck(ctx context.Context, client authclient.ClientI) error {
 	acks, err := client.GetAlertAcks(ctx)
 	if err != nil {
 		return trace.Wrap(err)
@@ -135,7 +135,7 @@ func (c *AlertCommand) ListAck(ctx context.Context, client *authclient.Client) e
 	return nil
 }
 
-func (c *AlertCommand) Ack(ctx context.Context, client *authclient.Client) error {
+func (c *AlertCommand) Ack(ctx context.Context, client authclient.ClientI) error {
 	if c.clear {
 		return c.ClearAck(ctx, client)
 	}
@@ -164,7 +164,7 @@ func (c *AlertCommand) Ack(ctx context.Context, client *authclient.Client) error
 	return nil
 }
 
-func (c *AlertCommand) ClearAck(ctx context.Context, client *authclient.Client) error {
+func (c *AlertCommand) ClearAck(ctx context.Context, client authclient.ClientI) error {
 	req := proto.ClearAlertAcksRequest{
 		AlertID: c.alertID,
 	}
@@ -178,7 +178,7 @@ func (c *AlertCommand) ClearAck(ctx context.Context, client *authclient.Client)
 	return nil
 }
 
-func (c *AlertCommand) List(ctx context.Context, client *authclient.Client) error {
+func (c *AlertCommand) List(ctx context.Context, client authclient.ClientI) error {
 	labels, err := libclient.ParseLabelSpec(c.labels)
 	if err != nil {
 		return trace.Wrap(err)
@@ -269,7 +269,7 @@ func displayAlertsJSON(alerts []types.ClusterAlert) error {
 	return nil
 }
 
-func (c *AlertCommand) Create(ctx context.Context, client *authclient.Client) error {
+func (c *AlertCommand) Create(ctx context.Context, client authclient.ClientI) error {
 	labels, err := libclient.ParseLabelSpec(c.labels)
 	if err != nil {
 		return trace.Wrap(err)

tool/tctl/common/app_command.go

@@ -71,7 +71,7 @@ func (c *AppsCommand) Initialize(app *kingpin.Application, _ *tctlcfg.GlobalCLIF
 
 // TryRun attempts to run subcommands like "apps ls".
 func (c *AppsCommand) TryRun(ctx context.Context, cmd string, clientFunc commonclient.InitFunc) (match bool, err error) {
-	var commandFunc func(ctx context.Context, client *authclient.Client) error
+	var commandFunc func(ctx context.Context, client authclient.ClientI) error
 	switch cmd {
 	case c.appsList.FullCommand():
 		commandFunc = c.ListApps
@@ -90,7 +90,7 @@ func (c *AppsCommand) TryRun(ctx context.Context, cmd string, clientFunc commonc
 
 // ListApps prints the list of applications that have recently sent heartbeats
 // to the cluster.
-func (c *AppsCommand) ListApps(ctx context.Context, clt *authclient.Client) error {
+func (c *AppsCommand) ListApps(ctx context.Context, clt authclient.ClientI) error {
 	labels, err := libclient.ParseLabelSpec(c.labels)
 	if err != nil {
 		return trace.Wrap(err)