Add access requests to UserMetadata

gravitational · Jan 12, 2022 · 78d1ffd · 78d1ffd
1 parent 517a021
commit 78d1ffd
Show file tree

Hide file tree

Showing 6 changed files with 419 additions and 416 deletions.
diff --git a/api/types/events/events.pb.go b/api/types/events/events.pb.go
diff --git a/api/types/events/events.proto b/api/types/events/events.proto
@@ -66,6 +66,9 @@ message UserMetadata {
 
     // AWSRoleARN is AWS IAM role user assumes when accessing AWS console.
     string AWSRoleARN = 4 [ (gogoproto.jsontag) = "aws_role_arn,omitempty" ];
+
+    // AccessRequests are the IDs of access requests created by the user
+    repeated string AccessRequests = 5 [ (gogoproto.jsontag) = "access_requests,omitempty" ];
 }
 
 // Server is a server metadata
@@ -131,6 +134,9 @@ message KubernetesPodMetadata {
 
 // SessionStart is a session start event
 message SessionStart {
+    reserved 11;
+    reserved "AccessRequests";
+
     // Metadata is a common event metadata
     Metadata Metadata = 1
         [ (gogoproto.nullable) = false, (gogoproto.embed) = true, (gogoproto.jsontag) = "" ];
@@ -168,9 +174,6 @@ message SessionStart {
 
     // SessionRecording is the type of session recording.
     string SessionRecording = 10 [ (gogoproto.jsontag) = "session_recording,omitempty" ];
-
-    // AccessRequests are the IDs of access requests created by the user
-    repeated string AccessRequests = 11 [ (gogoproto.jsontag) = "access_requests,omitempty" ];
 }
 
 // SessionJoin emitted when another user joins a session

diff --git a/lib/kube/proxy/forwarder.go b/lib/kube/proxy/forwarder.go
@@ -329,11 +329,11 @@ func (c *authContext) eventClusterMeta() apievents.KubernetesClusterMetadata {
 }
 
 func (c *authContext) eventUserMeta() apievents.UserMetadata {
-	return apievents.UserMetadata{
-		User:         c.User.GetName(),
-		Login:        c.User.GetName(),
-		Impersonator: c.Identity.GetIdentity().Impersonator,
-	}
+	name := c.User.GetName()
+	meta := c.Identity.GetIdentity().GetUserMetadata()
+	meta.User = name
+	meta.Login = name
+	return meta
 }
 
 type dialFunc func(ctx context.Context, network, addr, serverID string) (net.Conn, error)

diff --git a/lib/srv/ctx.go b/lib/srv/ctx.go
@@ -834,9 +834,10 @@ func (c *ServerContext) ExecCommand() (*ExecCommand, error) {
 
 func (id *IdentityContext) GetUserMetadata() apievents.UserMetadata {
 	return apievents.UserMetadata{
-		Login:        id.Login,
-		User:         id.TeleportUser,
-		Impersonator: id.Impersonator,
+		Login:          id.Login,
+		User:           id.TeleportUser,
+		Impersonator:   id.Impersonator,
+		AccessRequests: id.ActiveRequests,
 	}
 }
 

diff --git a/lib/srv/sess.go b/lib/srv/sess.go
@@ -760,7 +760,6 @@ func (s *session) startInteractive(ch ssh.Channel, ctx *ServerContext) error {
 		},
 		TerminalSize:     params.Serialize(),
 		SessionRecording: ctx.SessionRecordingConfig.GetMode(),
-		AccessRequests:   ctx.Identity.ActiveRequests,
 	}
 
 	// Local address only makes sense for non-tunnel nodes.
@@ -904,7 +903,6 @@ func (s *session) startExec(channel ssh.Channel, ctx *ServerContext) error {
 			RemoteAddr: ctx.ServerConn.RemoteAddr().String(),
 		},
 		SessionRecording: ctx.SessionRecordingConfig.GetMode(),
-		AccessRequests:   ctx.Identity.ActiveRequests,
 	}
 	// Local address only makes sense for non-tunnel nodes.
 	if !ctx.srv.UseTunnel() {

diff --git a/lib/tlsca/ca.go b/lib/tlsca/ca.go
@@ -609,8 +609,9 @@ func FromSubject(subject pkix.Name, expires time.Time) (*Identity, error) {
 
 func (id Identity) GetUserMetadata() events.UserMetadata {
 	return events.UserMetadata{
-		User:         id.Username,
-		Impersonator: id.Impersonator,
+		User:           id.Username,
+		Impersonator:   id.Impersonator,
+		AccessRequests: id.ActiveRequests,
 	}
 }