From c3a826fc11fd276640ca625ce26f9d89216a499b Mon Sep 17 00:00:00 2001 From: joerger Date: Mon, 2 May 2022 15:27:26 -0700 Subject: [PATCH] Resolve comments. --- api/client/proto/authservice.pb.go | 98 +++++++++++++++++------------- api/client/proto/authservice.proto | 18 +++++- lib/auth/auth_with_roles.go | 79 +++++++++++------------- lib/kube/proxy/sess.go | 20 +++--- lib/srv/app/session.go | 2 +- lib/srv/db/common/auth.go | 2 +- lib/srv/db/common/engines.go | 2 +- lib/srv/db/proxyserver.go | 2 +- lib/srv/db/server.go | 2 +- lib/srv/sess.go | 21 ++++--- 10 files changed, 133 insertions(+), 113 deletions(-) diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go index 1f8a1d9ce8211..96eac88fa06b8 100644 --- a/api/client/proto/authservice.pb.go +++ b/api/client/proto/authservice.pb.go @@ -9569,43 +9569,55 @@ func (m *ListResourcesResponse) GetTotalCount() int32 { // CreateSessionTrackerRequest is a request to create a new session. // // This is not specific to any session type. Relevant fields should be set for a given session type. -// -// TODO(bjoerger): Deprecate/reserve fields 1 to 14 in favor of seessionTracker field. type CreateSessionTrackerRequest struct { // Namespace is a session namespace, separating sessions from each other. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Namespace string `protobuf:"bytes,1,opt,name=Namespace,proto3" json:"namespace,omitempty"` // Type describes what type of session this is. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Type string `protobuf:"bytes,2,opt,name=Type,proto3" json:"type,omitempty"` // Reason is an arbitrary string that may be used to describe the session and/or it's // purpose. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Reason string `protobuf:"bytes,3,opt,name=Reason,proto3" json:"reason,omitempty"` // Invited is a list of invited users, this field is interpreted by different // clients on a best-effort basis and used for delivering notifications to invited users. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Invited []string `protobuf:"bytes,4,rep,name=Invited,proto3" json:"invited,omitempty"` // Hostname is the address of the target this session is connected to. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Hostname string `protobuf:"bytes,5,opt,name=Hostname,proto3" json:"target_hostname,omitempty"` // Address is the address of the target this session is connected to. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Address string `protobuf:"bytes,6,opt,name=Address,proto3" json:"target_address,omitempty"` // ClusterName is the name of cluster that this session belongs to. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. ClusterName string `protobuf:"bytes,7,opt,name=ClusterName,proto3" json:"cluster_name,omitempty"` // Login is the local login/user on the target used by the session. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Login string `protobuf:"bytes,8,opt,name=Login,proto3" json:"login,omitempty"` // Initiator is the participant that initiated the session. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Initiator *types.Participant `protobuf:"bytes,9,opt,name=Initiator,proto3" json:"initiator,omitempty"` // Expires encodes the time at which this session expires and becomes invalid. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. Expires time.Time `protobuf:"bytes,10,opt,name=Expires,proto3,stdtime" json:"expires,omitempty"` // The Kubernetes cluster this session belongs to. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. KubernetesCluster string `protobuf:"bytes,11,opt,name=KubernetesCluster,proto3" json:"kubernetes_cluster,omitempty"` // HostUser is the user regarded as the owner of this session, RBAC checks are performed // against the require policies of this user. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. HostUser string `protobuf:"bytes,12,opt,name=HostUser,proto3" json:"host_user,omitempty"` // ID is the ID of the session. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. ID string `protobuf:"bytes,13,opt,name=ID,proto3" json:"id,omitempty"` // HostPolicies is a list of RBAC policy sets held by the host user at the time of session // creation. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. HostPolicies []*types.SessionTrackerPolicySet `protobuf:"bytes,14,rep,name=HostPolicies,proto3" json:"host_policies,omitempty"` // sessionTracker is the session tracker to be created. - SessionTracker *types.SessionTrackerV1 `protobuf:"bytes,15,opt,name=sessionTracker,proto3" json:"session_tracker,omitempty"` + SessionTracker *types.SessionTrackerV1 `protobuf:"bytes,15,opt,name=SessionTracker,proto3" json:"session_tracker,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -10893,45 +10905,45 @@ var fileDescriptor_ce8bd90b12161215 = []byte{ 0x33, 0x91, 0x20, 0x52, 0xdf, 0xa5, 0x6e, 0xec, 0xda, 0xb2, 0x21, 0xba, 0x49, 0xd3, 0x40, 0xcc, 0x46, 0x61, 0xc3, 0xda, 0x65, 0x7c, 0x76, 0x7b, 0x1d, 0x35, 0x61, 0x86, 0xb4, 0xde, 0xf3, 0x3a, 0x6e, 0xcb, 0xc5, 0x41, 0x71, 0x4e, 0x73, 0x76, 0xeb, 0x8b, 0x82, 0x36, 0x7a, 0x51, 0xc7, 0x21, - 0xdb, 0x53, 0x69, 0xd7, 0x3d, 0x0e, 0xa8, 0xee, 0xa9, 0x2a, 0x42, 0xf4, 0xbb, 0x30, 0x17, 0x68, - 0x58, 0x78, 0x7a, 0xd7, 0xa5, 0xd4, 0x2e, 0x1a, 0xef, 0x89, 0x8d, 0x82, 0x3d, 0x07, 0x09, 0x59, - 0xb1, 0xaa, 0x9e, 0x75, 0x6c, 0x96, 0x0d, 0xc5, 0xe8, 0x46, 0x2e, 0xb6, 0x7a, 0x3f, 0x4c, 0x3e, - 0x36, 0xa1, 0xa9, 0x0d, 0xa3, 0xc7, 0x26, 0xaa, 0x40, 0x44, 0xcf, 0x4e, 0x0e, 0xe0, 0xba, 0x8d, - 0x4f, 0xbd, 0x67, 0xf8, 0xf5, 0xa2, 0xfd, 0x19, 0x5c, 0xd3, 0x11, 0x1e, 0xf4, 0xda, 0xf4, 0xf1, - 0x2a, 0xbb, 0xfa, 0x4b, 0x4d, 0x8e, 0xc2, 0x01, 0x58, 0x72, 0x14, 0xf6, 0xe2, 0x9e, 0xfc, 0xa9, - 0xae, 0x07, 0x5a, 0x67, 0x79, 0xb0, 0xac, 0x23, 0xaf, 0xb4, 0xdb, 0xca, 0x42, 0x20, 0x06, 0xa5, - 0xf2, 0x19, 0xb3, 0x60, 0xd5, 0x15, 0x43, 0x35, 0x67, 0x2f, 0x2a, 0x50, 0xd7, 0xaa, 0xd2, 0xce, - 0xc2, 0x50, 0x8e, 0xb3, 0x87, 0xb0, 0x4c, 0xed, 0xb3, 0x0a, 0xb3, 0xca, 0xa7, 0x3c, 0x10, 0x52, - 0x55, 0xa2, 0xf4, 0xa0, 0x33, 0x4c, 0x07, 0xb1, 0x5a, 0x50, 0x4a, 0x63, 0x1a, 0x5d, 0x66, 0x2f, - 0xd0, 0x46, 0xb4, 0x74, 0x47, 0x5f, 0xb9, 0x5e, 0x36, 0x3e, 0x8e, 0xfb, 0x3b, 0xe3, 0x70, 0x9d, - 0x4f, 0xc6, 0xeb, 0x9c, 0x71, 0xf4, 0x03, 0x4c, 0x2b, 0x73, 0xcc, 0x99, 0x7e, 0x53, 0x44, 0x69, - 0x98, 0x64, 0x81, 0xe9, 0xcb, 0x3e, 0x2d, 0x68, 0xc6, 0xa6, 0x9b, 0x18, 0xc6, 0xaa, 0xd8, 0x74, - 0x60, 0x4e, 0x9f, 0x68, 0x7e, 0xd8, 0xb8, 0x9d, 0xda, 0x89, 0xde, 0x54, 0xa4, 0x09, 0x68, 0x37, - 0x53, 0xa7, 0x9b, 0xe6, 0xa2, 0xd5, 0x85, 0xe8, 0x47, 0xb8, 0x92, 0x98, 0x65, 0x7e, 0x36, 0x79, - 0x2b, 0xb5, 0xc3, 0x44, 0x6b, 0xa6, 0xfc, 0x7c, 0x5a, 0x6c, 0xec, 0x36, 0xd9, 0x09, 0x6a, 0xc3, - 0x8c, 0x3a, 0xf1, 0xfc, 0xf0, 0x72, 0x6b, 0x08, 0x2b, 0x59, 0x43, 0xa6, 0xaa, 0x38, 0x2f, 0xe9, - 0xdc, 0xeb, 0xe9, 0xdb, 0x35, 0xac, 0xd5, 0x1c, 0x4c, 0xb2, 0x6f, 0xa2, 0x02, 0xf6, 0x7c, 0x1c, - 0xe0, 0x6e, 0x0b, 0xab, 0x01, 0x37, 0xaf, 0xaa, 0x02, 0xfe, 0x7d, 0x06, 0x8a, 0x69, 0x78, 0xeb, - 0xb8, 0xdb, 0x46, 0x7b, 0x50, 0x88, 0x77, 0xc4, 0xa5, 0xda, 0x12, 0x16, 0x95, 0x99, 0xa4, 0xad, - 0x4b, 0x76, 0x02, 0x9a, 0x6c, 0x42, 0x4a, 0xd9, 0x05, 0x23, 0x9b, 0x92, 0xa0, 0x8a, 0x83, 0xe3, - 0x9d, 0x77, 0x20, 0x2f, 0xd3, 0xf8, 0xa3, 0x1c, 0x8c, 0x6f, 0xef, 0x6e, 0xef, 0xb3, 0xb4, 0x70, - 0x7b, 0x07, 0xfb, 0x85, 0x0c, 0x02, 0x98, 0x5c, 0xdf, 0xd8, 0xd9, 0xd8, 0xdf, 0x28, 0x64, 0xdf, - 0x69, 0xaa, 0xae, 0x02, 0x74, 0x1d, 0x96, 0xd6, 0x37, 0x1a, 0xdb, 0xb5, 0x8d, 0xe6, 0xfe, 0x9f, - 0xdb, 0xdb, 0x68, 0x1e, 0xec, 0xd6, 0xf7, 0x36, 0x6a, 0xdb, 0x0f, 0xb6, 0x37, 0xd6, 0x0b, 0x97, - 0xd0, 0x02, 0x14, 0xd4, 0xca, 0xfd, 0xc7, 0xfb, 0x7b, 0x85, 0x0c, 0x2a, 0xc2, 0x82, 0x5a, 0xfa, - 0x64, 0xa3, 0x5a, 0x39, 0xd8, 0xdf, 0xda, 0x2d, 0x8c, 0x59, 0xe3, 0xb9, 0x6c, 0x21, 0xfb, 0xce, - 0x0f, 0x9a, 0x1f, 0x01, 0x2d, 0x43, 0x91, 0x37, 0x3f, 0xa8, 0x57, 0x36, 0xcd, 0x5d, 0xb0, 0xda, - 0x47, 0x0f, 0x2a, 0x85, 0x0c, 0xba, 0x01, 0xd7, 0xb4, 0xd2, 0xbd, 0x4a, 0xbd, 0xfe, 0xe4, 0xb1, - 0xbd, 0xbe, 0xb3, 0x51, 0xaf, 0x17, 0xb2, 0xef, 0xbc, 0xc5, 0xe3, 0x24, 0xd0, 0x1c, 0xc0, 0xfa, - 0x46, 0xbd, 0xb6, 0xb1, 0xbb, 0xbe, 0xbd, 0xbb, 0x59, 0xb8, 0x84, 0x66, 0x21, 0x5f, 0x91, 0x9f, - 0x99, 0xd5, 0xdf, 0x73, 0x60, 0x9a, 0xf0, 0x53, 0x1c, 0xbb, 0x9b, 0xb0, 0xf4, 0xc8, 0x71, 0xbb, - 0xa1, 0xe3, 0x76, 0xb9, 0x14, 0x88, 0x39, 0x44, 0xe5, 0x21, 0x93, 0x4a, 0xe4, 0xa1, 0x34, 0x2a, - 0x1a, 0xec, 0x4e, 0xe6, 0x7e, 0x06, 0xd5, 0x61, 0x21, 0xcd, 0x80, 0x45, 0x96, 0x9e, 0x6f, 0x22, - 0x4d, 0xad, 0x95, 0x4c, 0x7b, 0x30, 0x7a, 0x04, 0x57, 0x12, 0x9b, 0xaa, 0xa4, 0xd7, 0xb4, 0xdd, - 0x0e, 0x43, 0x57, 0xa4, 0x2e, 0xd5, 0xd0, 0x8d, 0x6f, 0xa9, 0x01, 0xba, 0x9a, 0x50, 0xd8, 0x1b, - 0x64, 0xd1, 0x18, 0x91, 0xdd, 0xcf, 0x20, 0x1b, 0x16, 0xd2, 0xb6, 0x67, 0x39, 0xe4, 0x21, 0x7b, - 0x77, 0xc9, 0xd0, 0x1d, 0xc1, 0x99, 0xb6, 0x01, 0x48, 0x9c, 0x43, 0x76, 0x07, 0x23, 0xce, 0xcf, - 0xc9, 0x51, 0xb8, 0xdb, 0x7e, 0x88, 0x71, 0xaf, 0xd2, 0x71, 0x9f, 0xe1, 0x00, 0x89, 0x58, 0x46, + 0xdb, 0x53, 0x69, 0xd7, 0x3d, 0x0e, 0xa8, 0xee, 0xa9, 0x2a, 0x42, 0xf4, 0xbb, 0x64, 0x3f, 0x50, + 0xb1, 0xf0, 0xf4, 0xae, 0x4b, 0xa9, 0x5d, 0x34, 0xde, 0x13, 0x1b, 0x05, 0x7b, 0x0e, 0x12, 0xb2, + 0x62, 0x7d, 0xa3, 0x50, 0x01, 0x2c, 0x1b, 0x8a, 0xd1, 0x8d, 0x5c, 0x6c, 0xf5, 0x7e, 0x98, 0x7c, + 0x6c, 0x42, 0x53, 0x1b, 0x46, 0x8f, 0x4d, 0x54, 0x81, 0x88, 0x9e, 0x9d, 0x1c, 0xc0, 0x75, 0x1b, + 0x9f, 0x7a, 0xcf, 0xf0, 0xeb, 0x45, 0xfb, 0x33, 0xb8, 0xa6, 0x23, 0x3c, 0xe8, 0xb5, 0xe9, 0xe3, + 0x55, 0x76, 0xf5, 0x97, 0x9a, 0x1c, 0x85, 0x03, 0xb0, 0xe4, 0x28, 0xec, 0xc5, 0x3d, 0xf9, 0x53, + 0x5d, 0x0f, 0xb4, 0xce, 0xf2, 0x60, 0x59, 0x47, 0x5e, 0x69, 0xb7, 0x95, 0x85, 0x40, 0x0c, 0x4a, + 0xe5, 0x33, 0x66, 0xc1, 0xaa, 0x2b, 0x86, 0x6a, 0xce, 0x5e, 0x54, 0xa0, 0xae, 0x55, 0xa5, 0x9d, + 0x85, 0xa1, 0x1c, 0x67, 0x0f, 0x61, 0x99, 0xda, 0x67, 0x15, 0x66, 0x95, 0x4f, 0x79, 0x20, 0xa4, + 0xaa, 0x44, 0xe9, 0x41, 0x67, 0x98, 0x0e, 0x62, 0xb5, 0xa0, 0x94, 0xc6, 0x34, 0xba, 0xcc, 0x5e, + 0xa0, 0x8d, 0x68, 0xe9, 0x8e, 0xbe, 0x72, 0xbd, 0x6c, 0x7c, 0x1c, 0xf7, 0x77, 0xc6, 0xe1, 0x3a, + 0x9f, 0x8c, 0xd7, 0x39, 0xe3, 0xe8, 0x07, 0x98, 0x56, 0xe6, 0x98, 0x33, 0xfd, 0xa6, 0x88, 0xd2, + 0x30, 0xc9, 0x02, 0xd3, 0x97, 0x7d, 0x5a, 0xd0, 0x8c, 0x4d, 0x37, 0x31, 0x8c, 0x55, 0xb1, 0xe9, + 0xc0, 0x9c, 0x3e, 0xd1, 0xfc, 0xb0, 0x71, 0x3b, 0xb5, 0x13, 0xbd, 0xa9, 0x48, 0x13, 0xd0, 0x6e, + 0xa6, 0x4e, 0x37, 0xcd, 0x45, 0xab, 0x0b, 0xd1, 0x8f, 0x70, 0x25, 0x31, 0xcb, 0xfc, 0x6c, 0xf2, + 0x56, 0x6a, 0x87, 0x89, 0xd6, 0x4c, 0xf9, 0xf9, 0xb4, 0xd8, 0xd8, 0x6d, 0xb2, 0x13, 0xd4, 0x86, + 0x19, 0x75, 0xe2, 0xf9, 0xe1, 0xe5, 0xd6, 0x10, 0x56, 0xb2, 0x86, 0x4c, 0x55, 0x71, 0x5e, 0xd2, + 0xb9, 0xd7, 0xd3, 0xb7, 0x6b, 0x58, 0xab, 0x39, 0x98, 0x64, 0xdf, 0x44, 0x05, 0xec, 0xf9, 0x38, + 0xc0, 0xdd, 0x16, 0x56, 0x03, 0x6e, 0x5e, 0x55, 0x05, 0xfc, 0xfb, 0x0c, 0x14, 0xd3, 0xf0, 0xd6, + 0x71, 0xb7, 0x8d, 0xf6, 0xa0, 0x10, 0xef, 0x88, 0x4b, 0xb5, 0x25, 0x2c, 0x2a, 0x33, 0x49, 0x5b, + 0x97, 0xec, 0x04, 0x34, 0xd9, 0x84, 0x94, 0xb2, 0x0b, 0x46, 0x36, 0x25, 0x41, 0x15, 0x07, 0xc7, + 0x3b, 0xef, 0x40, 0x5e, 0xa6, 0xf1, 0x47, 0x39, 0x18, 0xdf, 0xde, 0xdd, 0xde, 0x67, 0x69, 0xe1, + 0xf6, 0x0e, 0xf6, 0x0b, 0x19, 0x04, 0x30, 0xb9, 0xbe, 0xb1, 0xb3, 0xb1, 0xbf, 0x51, 0xc8, 0xbe, + 0xd3, 0x54, 0x5d, 0x05, 0xe8, 0x3a, 0x2c, 0xad, 0x6f, 0x34, 0xb6, 0x6b, 0x1b, 0xcd, 0xfd, 0x3f, + 0xb7, 0xb7, 0xd1, 0x3c, 0xd8, 0xad, 0xef, 0x6d, 0xd4, 0xb6, 0x1f, 0x6c, 0x6f, 0xac, 0x17, 0x2e, + 0xa1, 0x05, 0x28, 0xa8, 0x95, 0xfb, 0x8f, 0xf7, 0xf7, 0x0a, 0x19, 0x54, 0x84, 0x05, 0xb5, 0xf4, + 0xc9, 0x46, 0xb5, 0x72, 0xb0, 0xbf, 0xb5, 0x5b, 0x18, 0xb3, 0xc6, 0x73, 0xd9, 0x42, 0xf6, 0x9d, + 0x1f, 0x34, 0x3f, 0x02, 0x5a, 0x86, 0x22, 0x6f, 0x7e, 0x50, 0xaf, 0x6c, 0x9a, 0xbb, 0x60, 0xb5, + 0x8f, 0x1e, 0x54, 0x0a, 0x19, 0x74, 0x03, 0xae, 0x69, 0xa5, 0x7b, 0x95, 0x7a, 0xfd, 0xc9, 0x63, + 0x7b, 0x7d, 0x67, 0xa3, 0x5e, 0x2f, 0x64, 0xdf, 0x79, 0x8b, 0xc7, 0x49, 0xa0, 0x39, 0x80, 0xf5, + 0x8d, 0x7a, 0x6d, 0x63, 0x77, 0x7d, 0x7b, 0x77, 0xb3, 0x70, 0x09, 0xcd, 0x42, 0xbe, 0x22, 0x3f, + 0x33, 0xab, 0xbf, 0xe7, 0xc0, 0x34, 0xe1, 0xa7, 0x38, 0x76, 0x37, 0x61, 0xe9, 0x91, 0xe3, 0x76, + 0x43, 0xc7, 0xed, 0x72, 0x29, 0x10, 0x73, 0x88, 0xca, 0x43, 0x26, 0x95, 0xc8, 0x43, 0x69, 0x54, + 0x34, 0xd8, 0x9d, 0xcc, 0xfd, 0x0c, 0xaa, 0xc3, 0x42, 0x9a, 0x01, 0x8b, 0x2c, 0x3d, 0xdf, 0x44, + 0x9a, 0x5a, 0x2b, 0x99, 0xf6, 0x60, 0xf4, 0x08, 0xae, 0x24, 0x36, 0x55, 0x49, 0xaf, 0x69, 0xbb, + 0x1d, 0x86, 0xae, 0x48, 0x5d, 0xaa, 0xa1, 0x1b, 0xdf, 0x52, 0x03, 0x74, 0x35, 0xa1, 0xb0, 0x37, + 0xc8, 0xa2, 0x31, 0x22, 0xbb, 0x9f, 0x41, 0x36, 0x2c, 0xa4, 0x6d, 0xcf, 0x72, 0xc8, 0x43, 0xf6, + 0xee, 0x92, 0xa1, 0x3b, 0x82, 0x33, 0x6d, 0x03, 0x90, 0x38, 0x87, 0xec, 0x0e, 0x46, 0x9c, 0x9f, + 0x13, 0xd3, 0xa7, 0xdb, 0x7e, 0x88, 0x71, 0xaf, 0xd2, 0x71, 0x9f, 0xe1, 0x00, 0x89, 0x58, 0x46, 0x59, 0x64, 0x82, 0xbd, 0x93, 0x41, 0xbf, 0x05, 0xd3, 0x34, 0x73, 0x30, 0x0f, 0xbd, 0x99, 0x51, 0xb3, 0x09, 0x97, 0xc4, 0x17, 0xad, 0xbc, 0x9f, 0x41, 0x5f, 0xc0, 0xd4, 0x26, 0xa6, 0xb1, 0x27, 0xe8, 0x56, 0xec, 0x07, 0x32, 0xb6, 0xbb, 0xf2, 0x5c, 0x22, 0x08, 0x8e, 0xfb, 0x91, 0x50, 0x0d, @@ -11068,7 +11080,7 @@ var fileDescriptor_ce8bd90b12161215 = []byte{ 0xec, 0x0f, 0xa9, 0x74, 0x7e, 0x0d, 0xb3, 0xda, 0x0b, 0x5b, 0x29, 0xfe, 0x69, 0xcf, 0xbc, 0xa5, 0xb7, 0x3a, 0xf5, 0x51, 0x6e, 0xb5, 0xf0, 0x8b, 0xff, 0xbe, 0x92, 0xf9, 0xc5, 0xaf, 0x56, 0x32, 0xff, 0xe5, 0x57, 0x2b, 0x99, 0x5f, 0xfe, 0x6a, 0x25, 0x73, 0x38, 0x49, 0x9b, 0xaf, 0xfd, 0xbf, - 0x00, 0x00, 0x00, 0xff, 0xff, 0xa9, 0xbe, 0xfb, 0x3a, 0x1a, 0x93, 0x00, 0x00, + 0x00, 0x00, 0x00, 0xff, 0xff, 0x1c, 0x91, 0xfd, 0x7c, 0x1a, 0x93, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. diff --git a/api/client/proto/authservice.proto b/api/client/proto/authservice.proto index f451797d854a4..6957982f16410 100644 --- a/api/client/proto/authservice.proto +++ b/api/client/proto/authservice.proto @@ -1527,39 +1527,47 @@ message ListResourcesResponse { // CreateSessionTrackerRequest is a request to create a new session. // // This is not specific to any session type. Relevant fields should be set for a given session type. -// -// TODO(bjoerger): Deprecate/reserve fields 1 to 14 in favor of seessionTracker field. message CreateSessionTrackerRequest { // Namespace is a session namespace, separating sessions from each other. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string Namespace = 1 [ (gogoproto.jsontag) = "namespace,omitempty" ]; // Type describes what type of session this is. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string Type = 2 [ (gogoproto.jsontag) = "type,omitempty" ]; // Reason is an arbitrary string that may be used to describe the session and/or it's // purpose. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string Reason = 3 [ (gogoproto.jsontag) = "reason,omitempty" ]; // Invited is a list of invited users, this field is interpreted by different // clients on a best-effort basis and used for delivering notifications to invited users. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. repeated string Invited = 4 [ (gogoproto.jsontag) = "invited,omitempty" ]; // Hostname is the address of the target this session is connected to. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string Hostname = 5 [ (gogoproto.jsontag) = "target_hostname,omitempty" ]; // Address is the address of the target this session is connected to. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string Address = 6 [ (gogoproto.jsontag) = "target_address,omitempty" ]; // ClusterName is the name of cluster that this session belongs to. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string ClusterName = 7 [ (gogoproto.jsontag) = "cluster_name,omitempty" ]; // Login is the local login/user on the target used by the session. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string Login = 8 [ (gogoproto.jsontag) = "login,omitempty" ]; // Initiator is the participant that initiated the session. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. types.Participant Initiator = 9 [ (gogoproto.jsontag) = "initiator,omitempty" ]; // Expires encodes the time at which this session expires and becomes invalid. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. google.protobuf.Timestamp Expires = 10 [ (gogoproto.stdtime) = true, (gogoproto.nullable) = false, @@ -1567,22 +1575,26 @@ message CreateSessionTrackerRequest { ]; // The Kubernetes cluster this session belongs to. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string KubernetesCluster = 11 [ (gogoproto.jsontag) = "kubernetes_cluster,omitempty" ]; // HostUser is the user regarded as the owner of this session, RBAC checks are performed // against the require policies of this user. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string HostUser = 12 [ (gogoproto.jsontag) = "host_user,omitempty" ]; // ID is the ID of the session. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. string ID = 13 [ (gogoproto.jsontag) = "id,omitempty" ]; // HostPolicies is a list of RBAC policy sets held by the host user at the time of session // creation. + // DELETE IN V11 - deprecated/reserve in favor of SessionTracker field. repeated types.SessionTrackerPolicySet HostPolicies = 14 [ (gogoproto.jsontag) = "host_policies,omitempty" ]; // sessionTracker is the session tracker to be created. - types.SessionTrackerV1 sessionTracker = 15 + types.SessionTrackerV1 SessionTracker = 15 [ (gogoproto.jsontag) = "session_tracker,omitempty" ]; } diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index 707d45e4464b3..f455e3b16a07a 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -195,15 +195,9 @@ func (a *ServerWithRoles) actionForKindSSHSession(namespace, verb string, sid se return trace.Wrap(a.actionWithExtendedContext(namespace, types.KindSSHSession, verb, extendContext)) } -// hasBuiltinRole checks the type of the role set returned and the name. -// Returns true if role set is builtin and the name matches. -func (a *ServerWithRoles) hasBuiltinRole(name string) bool { - return HasBuiltinRole(a.context.Checker, name) -} - -// hasBuildinRoleInList checks that the attached checker is a BuiltinRoleSet +// hasBuiltinRole checks that the attached checker is a BuiltinRoleSet // and whether any of the given roles match the role set. -func (a *ServerWithRoles) hasBuiltinRoleInList(roles ...types.SystemRole) bool { +func (a *ServerWithRoles) hasBuiltinRole(roles ...types.SystemRole) bool { for _, role := range roles { if HasBuiltinRole(a.context.Checker, string(role)) { return true @@ -250,10 +244,14 @@ func hasLocalUserRole(checker services.AccessChecker) bool { return ok } +var sessionTrackerRoles = []types.SystemRole{types.RoleKube, types.RoleNode, types.RoleProxy, types.RoleDatabase, types.RoleApp, types.RoleWindowsDesktop} + +const sessionTrackerAccessDeniedMessage = "this request can only be executed by a node, proxy, kube, db, app, or windows desktop service" + // CreateSessionTracker creates a tracker resource for an active session. func (a *ServerWithRoles) CreateSessionTracker(ctx context.Context, tracker types.SessionTracker) (types.SessionTracker, error) { - if a.hasBuiltinRoleInList(types.RoleKube, types.RoleNode, types.RoleProxy, types.RoleDatabase, types.RoleApp, types.RoleWindowsDesktop) { - return nil, trace.AccessDenied("this request can be only executed by a node, proxy, kube, db, app, or windows desktop service") + if !a.hasBuiltinRole(sessionTrackerRoles...) { + return nil, trace.AccessDenied(sessionTrackerAccessDeniedMessage) } tracker, err := a.authServer.CreateSessionTracker(ctx, tracker) @@ -266,8 +264,8 @@ func (a *ServerWithRoles) CreateSessionTracker(ctx context.Context, tracker type // GetSessionTracker returns the current state of a session tracker for an active session. func (a *ServerWithRoles) GetSessionTracker(ctx context.Context, sessionID string) (types.SessionTracker, error) { - if a.hasBuiltinRoleInList(types.RoleKube, types.RoleNode, types.RoleProxy, types.RoleDatabase, types.RoleApp, types.RoleWindowsDesktop) { - return nil, trace.AccessDenied("this request can be only executed by a node, proxy, kube, db, app, or windows desktop service") + if !a.hasBuiltinRole(sessionTrackerRoles...) { + return nil, trace.AccessDenied(sessionTrackerAccessDeniedMessage) } return a.authServer.GetSessionTracker(ctx, sessionID) @@ -300,8 +298,8 @@ func (a *ServerWithRoles) GetActiveSessionTrackers(ctx context.Context) ([]types // RemoveSessionTracker removes a tracker resource for an active session. func (a *ServerWithRoles) RemoveSessionTracker(ctx context.Context, sessionID string) error { - if a.hasBuiltinRoleInList(types.RoleKube, types.RoleNode, types.RoleProxy, types.RoleDatabase, types.RoleApp, types.RoleWindowsDesktop) { - return trace.AccessDenied("this request can be only executed by a node, proxy, kube, db, app, or windows desktop service") + if !a.hasBuiltinRole(sessionTrackerRoles...) { + return trace.AccessDenied(sessionTrackerAccessDeniedMessage) } return a.authServer.RemoveSessionTracker(ctx, sessionID) @@ -309,8 +307,8 @@ func (a *ServerWithRoles) RemoveSessionTracker(ctx context.Context, sessionID st // UpdateSessionTracker updates a tracker resource for an active session. func (a *ServerWithRoles) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error { - if a.hasBuiltinRoleInList(types.RoleKube, types.RoleNode, types.RoleProxy, types.RoleDatabase, types.RoleApp, types.RoleWindowsDesktop) { - return trace.AccessDenied("this request can be only executed by a node, proxy, kube, db, app, or windows desktop service") + if !a.hasBuiltinRole(sessionTrackerRoles...) { + return trace.AccessDenied(sessionTrackerAccessDeniedMessage) } return a.authServer.UpdateSessionTracker(ctx, req) @@ -321,7 +319,7 @@ func (a *ServerWithRoles) UpdateSessionTracker(ctx context.Context, req *proto.U func (a *ServerWithRoles) AuthenticateWebUser(req AuthenticateUserRequest) (types.WebSession, error) { // authentication request has it's own authentication, however this limits the requests // types to proxies to make it harder to break - if !a.hasBuiltinRole(string(types.RoleProxy)) { + if !a.hasBuiltinRole(types.RoleProxy) { return nil, trace.AccessDenied("this request can be only executed by a proxy") } return a.authServer.AuthenticateWebUser(req) @@ -332,7 +330,7 @@ func (a *ServerWithRoles) AuthenticateWebUser(req AuthenticateUserRequest) (type func (a *ServerWithRoles) AuthenticateSSHUser(req AuthenticateSSHRequest) (*SSHLoginResponse, error) { // authentication request has it's own authentication, however this limits the requests // types to proxies to make it harder to break - if !a.hasBuiltinRole(string(types.RoleProxy)) { + if !a.hasBuiltinRole(types.RoleProxy) { return nil, trace.AccessDenied("this request can be only executed by a proxy") } return a.authServer.AuthenticateSSHUser(req) @@ -583,7 +581,7 @@ func (a *ServerWithRoles) UpsertNode(ctx context.Context, s types.Server) (*type // // This logic has moved to KeepAliveServer. func (a *ServerWithRoles) KeepAliveNode(ctx context.Context, handle types.KeepAlive) error { - if !a.hasBuiltinRole(string(types.RoleNode)) { + if !a.hasBuiltinRole(types.RoleNode) { return trace.AccessDenied("[10] access denied") } clusterName, err := a.GetDomainName() @@ -619,7 +617,7 @@ func (a *ServerWithRoles) KeepAliveServer(ctx context.Context, handle types.Keep if serverName != handle.Name { return trace.AccessDenied("access denied") } - if !a.hasBuiltinRole(string(types.RoleNode)) { + if !a.hasBuiltinRole(types.RoleNode) { return trace.AccessDenied("access denied") } if err := a.action(apidefaults.Namespace, types.KindNode, types.VerbUpdate); err != nil { @@ -635,7 +633,7 @@ func (a *ServerWithRoles) KeepAliveServer(ctx context.Context, handle types.Keep return trace.AccessDenied("access denied") } } - if !a.hasBuiltinRole(string(types.RoleApp)) { + if !a.hasBuiltinRole(types.RoleApp) { return trace.AccessDenied("access denied") } if err := a.action(apidefaults.Namespace, types.KindAppServer, types.VerbUpdate); err != nil { @@ -648,7 +646,7 @@ func (a *ServerWithRoles) KeepAliveServer(ctx context.Context, handle types.Keep if serverName != handle.HostID { return trace.AccessDenied("access denied") } - if !a.hasBuiltinRole(string(types.RoleDatabase)) { + if !a.hasBuiltinRole(types.RoleDatabase) { return trace.AccessDenied("access denied") } if err := a.action(apidefaults.Namespace, types.KindDatabaseServer, types.VerbUpdate); err != nil { @@ -658,14 +656,14 @@ func (a *ServerWithRoles) KeepAliveServer(ctx context.Context, handle types.Keep if serverName != handle.Name { return trace.AccessDenied("access denied") } - if !a.hasBuiltinRole(string(types.RoleWindowsDesktop)) { + if !a.hasBuiltinRole(types.RoleWindowsDesktop) { return trace.AccessDenied("access denied") } if err := a.action(apidefaults.Namespace, types.KindWindowsDesktopService, types.VerbUpdate); err != nil { return trace.Wrap(err) } case constants.KeepAliveKube: - if serverName != handle.Name || !a.hasBuiltinRole(string(types.RoleKube)) { + if serverName != handle.Name || !a.hasBuiltinRole(types.RoleKube) { return trace.AccessDenied("access denied") } if err := a.action(apidefaults.Namespace, types.KindKubeService, types.VerbUpdate); err != nil { @@ -747,9 +745,9 @@ func (a *ServerWithRoles) NewWatcher(ctx context.Context, watch types.Watch) (ty } } switch { - case a.hasBuiltinRole(string(types.RoleProxy)): + case a.hasBuiltinRole(types.RoleProxy): watch.QueueSize = defaults.ProxyQueueSize - case a.hasBuiltinRole(string(types.RoleNode)): + case a.hasBuiltinRole(types.RoleNode): watch.QueueSize = defaults.NodeQueueSize } return a.authServer.NewWatcher(ctx, watch) @@ -782,8 +780,7 @@ func (a *ServerWithRoles) checkAccessToNode(server types.Server) error { // In addition, allow proxy (and remote proxy) to access all nodes for its // smart resolution address resolution. Once the smart resolution logic is // moved to the auth server, this logic can be removed. - if a.hasBuiltinRole(string(types.RoleAdmin)) || - a.hasBuiltinRole(string(types.RoleProxy)) || + if a.hasBuiltinRole(types.RoleAdmin, types.RoleProxy) || a.hasRemoteBuiltinRole(string(types.RoleRemoteProxy)) { return nil } @@ -1569,7 +1566,7 @@ func (a *ServerWithRoles) SubmitAccessReview(ctx context.Context, params types.A // review author must match calling user, except in the case of the builtin admin role. we make this // exception in order to allow for convenient testing with local tctl connections. - if !a.hasBuiltinRole(string(types.RoleAdmin)) { + if !a.hasBuiltinRole(types.RoleAdmin) { if params.Review.Author != a.context.User.GetName() { return nil, trace.AccessDenied("user %q cannot submit reviews on behalf of %q", a.context.User.GetName(), params.Review.Author) } @@ -1695,7 +1692,7 @@ func (a *ServerWithRoles) GetUsers(withSecrets bool) ([]types.User, error) { if withSecrets { // TODO(fspmarshall): replace admin requirement with VerbReadWithSecrets once we've // migrated to that model. - if !a.hasBuiltinRole(string(types.RoleAdmin)) { + if !a.hasBuiltinRole(types.RoleAdmin) { err := trace.AccessDenied("user %q requested access to all users with secrets", a.context.User.GetName()) log.Warning(err) if err := a.authServer.emitter.EmitAuditEvent(a.authServer.closeCtx, &apievents.UserLogin{ @@ -1726,7 +1723,7 @@ func (a *ServerWithRoles) GetUser(name string, withSecrets bool) (types.User, er if withSecrets { // TODO(fspmarshall): replace admin requirement with VerbReadWithSecrets once we've // migrated to that model. - if !a.hasBuiltinRole(string(types.RoleAdmin)) { + if !a.hasBuiltinRole(types.RoleAdmin) { err := trace.AccessDenied("user %q requested access to user %q with secrets", a.context.User.GetName(), name) log.Warning(err) if err := a.authServer.emitter.EmitAuditEvent(a.authServer.closeCtx, &apievents.UserLogin{ @@ -1836,7 +1833,7 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC // this prevents clients who have no chance at getting a cert and impersonating anyone // from enumerating local users and hitting database - if !a.hasBuiltinRole(string(types.RoleAdmin)) && !a.context.Checker.CanImpersonateSomeone() && req.Username != a.context.User.GetName() { + if !a.hasBuiltinRole(types.RoleAdmin) && !a.context.Checker.CanImpersonateSomeone() && req.Username != a.context.User.GetName() { return nil, trace.AccessDenied("access denied: impersonation is not allowed") } @@ -1957,7 +1954,7 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC checker := services.NewRoleSet(parsedRoles...) switch { - case a.hasBuiltinRole(string(types.RoleAdmin)): + case a.hasBuiltinRole(types.RoleAdmin): // builtin admins can impersonate anyone // this is required for local tctl commands to work case req.Username == a.context.User.GetName(): @@ -2027,7 +2024,7 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC ttl: req.Expires.Sub(a.authServer.GetClock().Now()), compatibility: req.Format, publicKey: req.PublicKey, - overrideRoleTTL: a.hasBuiltinRole(string(types.RoleAdmin)), + overrideRoleTTL: a.hasBuiltinRole(types.RoleAdmin), routeToCluster: req.RouteToCluster, kubernetesCluster: req.KubernetesCluster, dbService: req.RouteToDatabase.ServiceName, @@ -3182,7 +3179,7 @@ func (a *ServerWithRoles) DeleteSemaphore(ctx context.Context, filter types.Sema // signed certificate if successful. func (a *ServerWithRoles) ProcessKubeCSR(req KubeCSR) (*KubeCSRResponse, error) { // limits the requests types to proxies to make it harder to break - if !a.hasBuiltinRole(string(types.RoleProxy)) { + if !a.hasBuiltinRole(types.RoleProxy) { return nil, trace.AccessDenied("this request can be only executed by a proxy") } return a.authServer.ProcessKubeCSR(req) @@ -3239,7 +3236,7 @@ func (a *ServerWithRoles) DeleteAllDatabaseServers(ctx context.Context, namespac func (a *ServerWithRoles) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequest) (*proto.DatabaseCSRResponse, error) { // Only proxy is allowed to request this certificate when proxying // database client connection to a remote database service. - if !a.hasBuiltinRole(string(types.RoleProxy)) { + if !a.hasBuiltinRole(types.RoleProxy) { return nil, trace.AccessDenied("this request can only be executed by a proxy service") } return a.authServer.SignDatabaseCSR(ctx, req) @@ -3261,7 +3258,7 @@ func (a *ServerWithRoles) SignDatabaseCSR(ctx context.Context, req *proto.Databa func (a *ServerWithRoles) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error) { // Check if this is a local cluster admin, or a datababase service, or a // user that is allowed to impersonate database service. - if !a.hasBuiltinRole(string(types.RoleDatabase)) && !a.hasBuiltinRole(string(types.RoleAdmin)) { + if !a.hasBuiltinRole(types.RoleDatabase, types.RoleAdmin) { if err := a.canImpersonateBuiltinRole(types.RoleDatabase); err != nil { log.WithError(err).Warnf("User %v tried to generate database certificate but is not allowed to impersonate %q system role.", a.context.User.GetName(), types.RoleDatabase) @@ -4226,9 +4223,7 @@ func (a *ServerWithRoles) DeleteAllWindowsDesktops(ctx context.Context) error { func (a *ServerWithRoles) filterWindowsDesktops(desktops []types.WindowsDesktop) ([]types.WindowsDesktop, error) { // For certain built-in roles allow full access - if a.hasBuiltinRole(string(types.RoleAdmin)) || - a.hasBuiltinRole(string(types.RoleProxy)) || - a.hasBuiltinRole(string(types.RoleWindowsDesktop)) { + if a.hasBuiltinRole(types.RoleAdmin, types.RoleProxy, types.RoleWindowsDesktop) { return desktops, nil } @@ -4255,7 +4250,7 @@ func (a *ServerWithRoles) checkAccessToWindowsDesktop(w types.WindowsDesktop) er // authentication. func (a *ServerWithRoles) GenerateWindowsDesktopCert(ctx context.Context, req *proto.WindowsDesktopCertRequest) (*proto.WindowsDesktopCertResponse, error) { // Only windows_desktop_service should be requesting Windows certificates. - if !a.hasBuiltinRole(string(types.RoleWindowsDesktop)) { + if !a.hasBuiltinRole(types.RoleWindowsDesktop) { return nil, trace.AccessDenied("access denied") } return a.authServer.GenerateWindowsDesktopCert(ctx, req) @@ -4317,7 +4312,7 @@ func (a *ServerWithRoles) GetAccountRecoveryCodes(ctx context.Context, req *prot // GenerateCertAuthorityCRL generates an empty CRL for a CA. func (a *ServerWithRoles) GenerateCertAuthorityCRL(ctx context.Context, caType types.CertAuthType) ([]byte, error) { // Only windows_desktop_service should be requesting CRLs - if !a.hasBuiltinRole(string(types.RoleWindowsDesktop)) { + if !a.hasBuiltinRole(types.RoleWindowsDesktop) { return nil, trace.AccessDenied("access denied") } crl, err := a.authServer.GenerateCertAuthorityCRL(ctx, caType) diff --git a/lib/kube/proxy/sess.go b/lib/kube/proxy/sess.go index 3fd3899fc7fc0..6f5e083c68043 100644 --- a/lib/kube/proxy/sess.go +++ b/lib/kube/proxy/sess.go @@ -277,7 +277,7 @@ type session struct { terminalSizeQueue *multiResizeQueue - tracker *sessionTrackerWithCond + tracker *sessionTrackerServiceWithCond accessEvaluator auth.SessionAccessEvaluator @@ -1136,7 +1136,7 @@ func getRolesByName(forwarder *Forwarder, roleNames []string) ([]types.Role, err func (s *session) trackSession(p *party, policySet []*types.SessionTrackerPolicySet) error { s.log.Debugf("Starting tracker for session %v", s.id.String()) - s.tracker = &sessionTrackerWithCond{ + s.tracker = &sessionTrackerServiceWithCond{ sess: s, SessionTrackerService: s.forwarder.cfg.AuthClient, state: types.SessionState_SessionStatePending, @@ -1177,17 +1177,17 @@ func (s *session) trackSession(p *party, policySet []*types.SessionTrackerPolicy return nil } -type sessionTrackerWithCond struct { - sess *session +type sessionTrackerServiceWithCond struct { services.SessionTrackerService + sess *session state types.SessionState stateUpdate *sync.Cond } // UpdateSessionTracker updates the session tracker, locking // on the stateUpdate condition for state updates. -func (s *sessionTrackerWithCond) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error { +func (s *sessionTrackerServiceWithCond) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error { if req.GetUpdateState() != nil { s.stateUpdate.L.Lock() defer s.stateUpdate.L.Unlock() @@ -1197,14 +1197,14 @@ func (s *sessionTrackerWithCond) UpdateSessionTracker(ctx context.Context, req * return s.SessionTrackerService.UpdateSessionTracker(ctx, req) } -func (s *sessionTrackerWithCond) get() (types.SessionTracker, error) { +func (s *sessionTrackerServiceWithCond) get() (types.SessionTracker, error) { sess, err := s.GetSessionTracker(s.sess.forwarder.ctx, s.sess.id.String()) if err != nil { return nil, trace.Wrap(err) } return sess, nil } -func (s *sessionTrackerWithCond) addParty(p *party) error { +func (s *sessionTrackerServiceWithCond) addParty(p *party) error { s.sess.log.Debugf("Tracking participant: %s", p.ID) err := services.AddSessionTrackerParticipant(s.sess.forwarder.ctx, s, s.sess.id.String(), &types.Participant{ ID: p.ID.String(), @@ -1215,19 +1215,19 @@ func (s *sessionTrackerWithCond) addParty(p *party) error { return trace.Wrap(err) } -func (s *sessionTrackerWithCond) removeParty(partyID string) error { +func (s *sessionTrackerServiceWithCond) removeParty(partyID string) error { s.sess.log.Debugf("Not tracking participant: %s", partyID) err := services.RemoveSessionTrackerParticipant(s.sess.forwarder.ctx, s, s.sess.id.String(), partyID) return trace.Wrap(err) } -func (s *sessionTrackerWithCond) updateState(state types.SessionState) error { +func (s *sessionTrackerServiceWithCond) updateState(state types.SessionState) error { err := services.UpdateSessionTrackerState(s.sess.forwarder.ctx, s, s.sess.id.String(), state) return trace.Wrap(err) } // updateStateUnderLock Must be called under stateUpdate lock -func (s *sessionTrackerWithCond) updateStateUnderLock(state types.SessionState) error { +func (s *sessionTrackerServiceWithCond) updateStateUnderLock(state types.SessionState) error { s.state = state s.stateUpdate.Broadcast() diff --git a/lib/srv/app/session.go b/lib/srv/app/session.go index 3386917b26811..9e53898365d6f 100644 --- a/lib/srv/app/session.go +++ b/lib/srv/app/session.go @@ -216,7 +216,7 @@ func (s *Server) newStreamer(ctx context.Context, sessionID string, recConfig ty // createTracker creates a new session tracker for the app session. func (s *Server) createTracker(sess *session, identity *tlsca.Identity) error { - s.log.Debug("Creating tracker for session %v", sess.id) + s.log.Debugf("Creating tracker for session %v", sess.id) initiator := &types.Participant{ ID: identity.Username, User: identity.Username, diff --git a/lib/srv/db/common/auth.go b/lib/srv/db/common/auth.go index 544839ebbfad0..837670237f6bc 100644 --- a/lib/srv/db/common/auth.go +++ b/lib/srv/db/common/auth.go @@ -70,7 +70,7 @@ type Auth interface { // AuthConfig is the database access authenticator configuration. type AuthConfig struct { // AuthClient is the cluster auth client. - AuthClient libauth.ClientI + AuthClient *libauth.Client // Clients provides interface for obtaining cloud provider clients. Clients CloudClients // Clock is the clock implementation. diff --git a/lib/srv/db/common/engines.go b/lib/srv/db/common/engines.go index 107565d698a18..25b773677ecce 100644 --- a/lib/srv/db/common/engines.go +++ b/lib/srv/db/common/engines.go @@ -70,7 +70,7 @@ type EngineConfig struct { // Audit emits database access audit events. Audit Audit // AuthClient is the cluster auth server client. - AuthClient auth.ClientI + AuthClient *auth.Client // CloudClients provides access to cloud API clients. CloudClients CloudClients // Context is the database server close context. diff --git a/lib/srv/db/proxyserver.go b/lib/srv/db/proxyserver.go index 3985be0f06a22..cc0b393eb9b4b 100644 --- a/lib/srv/db/proxyserver.go +++ b/lib/srv/db/proxyserver.go @@ -519,7 +519,7 @@ type monitorConnConfig struct { identity tlsca.Identity clock clockwork.Clock serverID string - authClient auth.ClientI + authClient *auth.Client teleportUser string emitter events.Emitter log logrus.FieldLogger diff --git a/lib/srv/db/server.go b/lib/srv/db/server.go index 38409ed88a70f..9269009e7e0f9 100644 --- a/lib/srv/db/server.go +++ b/lib/srv/db/server.go @@ -58,7 +58,7 @@ type Config struct { // DataDir is the path to the data directory for the server. DataDir string // AuthClient is a client directly connected to the Auth server. - AuthClient auth.ClientI + AuthClient *auth.Client // AccessPoint is a caching client connected to the Auth Server. AccessPoint auth.DatabaseAccessPoint // StreamEmitter is a non-blocking audit events emitter. diff --git a/lib/srv/sess.go b/lib/srv/sess.go index f7e19ee1c9b9f..71ad4204b9138 100644 --- a/lib/srv/sess.go +++ b/lib/srv/sess.go @@ -400,7 +400,7 @@ type session struct { access auth.SessionAccessEvaluator - tracker *sessionTrackerWithCond + tracker *sessionTrackerServiceWithCond initiator string @@ -1642,7 +1642,7 @@ func (p *party) closeUnderSessionLock() { func (s *session) trackSession(teleportUser string, policySet []*types.SessionTrackerPolicySet) error { s.log.Debugf("Starting session tracker for session %v", s.id) - s.tracker = &sessionTrackerWithCond{ + s.tracker = &sessionTrackerServiceWithCond{ sess: s, SessionTrackerService: s.registry.SessionTrackerService, state: types.SessionState_SessionStatePending, @@ -1695,17 +1695,18 @@ func (s *session) trackSession(teleportUser string, policySet []*types.SessionTr return nil } -type sessionTrackerWithCond struct { - sess *session +// extends SessionTrackerService using a sync.Cond to control state updates. +type sessionTrackerServiceWithCond struct { services.SessionTrackerService + sess *session state types.SessionState stateUpdate *sync.Cond } // UpdateSessionTracker updates the session tracker, locking // on the stateUpdate condition for state updates. -func (s *sessionTrackerWithCond) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error { +func (s *sessionTrackerServiceWithCond) UpdateSessionTracker(ctx context.Context, req *proto.UpdateSessionTrackerRequest) error { if req.GetUpdateState() != nil { s.stateUpdate.L.Lock() defer s.stateUpdate.L.Unlock() @@ -1715,14 +1716,14 @@ func (s *sessionTrackerWithCond) UpdateSessionTracker(ctx context.Context, req * return s.SessionTrackerService.UpdateSessionTracker(ctx, req) } -func (s *sessionTrackerWithCond) get() (types.SessionTracker, error) { +func (s *sessionTrackerServiceWithCond) get() (types.SessionTracker, error) { sess, err := s.GetSessionTracker(s.sess.serverCtx, s.sess.id.String()) if err != nil { return nil, trace.Wrap(err) } return sess, nil } -func (s *sessionTrackerWithCond) addParty(p *party) error { +func (s *sessionTrackerServiceWithCond) addParty(p *party) error { s.sess.log.Debugf("Tracking participant: %v", p.user) err := services.AddSessionTrackerParticipant(s.sess.serverCtx, s, s.sess.id.String(), &types.Participant{ ID: p.user, @@ -1733,19 +1734,19 @@ func (s *sessionTrackerWithCond) addParty(p *party) error { return trace.Wrap(err) } -func (s *sessionTrackerWithCond) removeParty(partyID string) error { +func (s *sessionTrackerServiceWithCond) removeParty(partyID string) error { s.sess.log.Debugf("Not tracking participant: %v", partyID) err := services.RemoveSessionTrackerParticipant(s.sess.serverCtx, s, s.sess.id.String(), partyID) return trace.Wrap(err) } -func (s *sessionTrackerWithCond) updateState(state types.SessionState) error { +func (s *sessionTrackerServiceWithCond) updateState(state types.SessionState) error { err := services.UpdateSessionTrackerState(s.sess.serverCtx, s, s.sess.id.String(), state) return trace.Wrap(err) } // updateStateUnderLock Must be called under stateUpdate lock -func (s *sessionTrackerWithCond) updateStateUnderLock(state types.SessionState) error { +func (s *sessionTrackerServiceWithCond) updateStateUnderLock(state types.SessionState) error { s.state = state s.stateUpdate.Broadcast()