Address review comments

gravitational · Mar 18, 2021 · e215f48 · e215f48
1 parent 0a714a2
commit e215f48
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 12 deletions.
diff --git a/api/types/session.go b/api/types/session.go
@@ -531,6 +531,9 @@ func (r *DeleteWebTokenRequest) Check() error {
 }
 
 // IntoMap makes this filter into a map.
+//
+// This filter is used with the cache watcher to make sure only sessions
+// for a particular user are returned.
 func (f *WebSessionFilter) IntoMap() map[string]string {
 	m := make(map[string]string)
 	if f.User != "" {
@@ -540,6 +543,9 @@ func (f *WebSessionFilter) IntoMap() map[string]string {
 }
 
 // FromMap converts provided map into this filter.
+//
+// This filter is used with the cache watcher to make sure only sessions
+// for a particular user are returned.
 func (f *WebSessionFilter) FromMap(m map[string]string) error {
 	for key, val := range m {
 		switch key {

diff --git a/integration/app_integration_test.go b/integration/app_integration_test.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2020 Gravitational, Inc.
+Copyright 2020-2021 Gravitational, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

diff --git a/lib/auth/auth.go b/lib/auth/auth.go
@@ -525,12 +525,18 @@ func (a *Server) GenerateUserTestCerts(key []byte, username string, ttl time.Dur
 
 // AppTestCertRequest combines parameters for generating a test app access cert.
 type AppTestCertRequest struct {
-	PublicKey   []byte
-	Username    string
-	TTL         time.Duration
-	PublicAddr  string
+	// PublicKey is the public key to sign.
+	PublicKey []byte
+	// Username is the Teleport user name to sign certificate for.
+	Username string
+	// TTL is the test certificate validity period.
+	TTL time.Duration
+	// PublicAddr is the application public address. Used for routing.
+	PublicAddr string
+	// ClusterName is the name of the cluster application resides in. Used for routing.
 	ClusterName string
-	SessionID   string
+	// SessionID is the optional session ID to encode. Used for routing.
+	SessionID string
 }
 
 // GenerateUserAppTestCert generates an application specific certificate, used

diff --git a/lib/auth/sessions.go b/lib/auth/sessions.go
@@ -48,6 +48,11 @@ func (s *Server) CreateAppSession(ctx context.Context, req services.CreateAppSes
 
 	// Don't let the app session go longer than the identity expiration,
 	// which matches the parent web session TTL as well.
+	//
+	// When using web-based app access, the browser will send a cookie with
+	// sessionID which will be used to fetch services.WebSession which
+	// contains a certificate whose life matches the life of the session
+	// that will be used to establish the connection.
 	ttl := checker.AdjustSessionTTL(identity.Expires.Sub(s.clock.Now()))
 
 	// Create certificate for this session.

diff --git a/lib/web/app/handler.go b/lib/web/app/handler.go
@@ -177,7 +177,7 @@ func (h *Handler) extractSessionID(r *http.Request) (sessionID string, err error
 	// We have a client certificate with encoded session id in application
 	// access CLI flow i.e. when users log in using "tsh app login" and
 	// then connect to the apps with the issued certs.
-	if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+	if HasClientCert(r) {
 		certificate := r.TLS.PeerCertificates[0]
 		identity, err := tlsca.FromSubject(certificate.Subject, certificate.NotAfter)
 		if err != nil {

diff --git a/tool/tsh/app.go b/tool/tsh/app.go
@@ -18,7 +18,9 @@ package main
 
 import (
 	"fmt"
+	"os"
 	"strings"
+	"text/template"
 
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/types"
@@ -63,13 +65,19 @@ func onAppLogin(cf *CLIConf) error {
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	fmt.Printf(`Logged into app %q. Example curl command:
-
-%v
-`, app.Name, formatAppConfig(tc, profile, app.Name, app.PublicAddr, appFormatCURL))
-	return nil
+	return appLoginTpl.Execute(os.Stdout, map[string]string{
+		"appName": app.Name,
+		"curlCmd": formatAppConfig(tc, profile, app.Name, app.PublicAddr, appFormatCURL),
+	})
 }
 
+// appLoginTpl is the message that gets printed to a user upon successful app login.
+var appLoginTpl = template.Must(template.New("").Parse(
+	`Logged into app {{.appName}}. Example curl command:
+
+{{.curlCmd}}
+`))
+
 // getRegisteredApp returns the registered application with the specified name.
 func getRegisteredApp(cf *CLIConf, tc *client.TeleportClient) (app *types.App, err error) {
 	err = client.RetryWithRelogin(cf.Context, tc, func() error {