Add switchback feature #5440
Add switchback feature #5440
Conversation
…eparately for clear separation
sessions are created and where existing sessions are managed. Remove ttlmap in favor of a simple map and handle expirations explicitly. Add web session management to gRPC server for the cache.
Fix web sessions unit tests.
has not yet been added to session cache. lib/cache: add event filter for web session in auth cache. lib/auth: propagate web session subkind in gRPC event.
…se fake time in web tests
the old behavior w.r.t access checking (e.g. implicit handling of the local user identity).
…ns using best-effort - first looking in the cache and falling back to a proxy client
the purpose of this PR. Also avoid a race between closing the cached clients and an existing reference to the session by letting the session linger for longer before removing it.
Fix the web UI assets configuration by removing DisableUI and instead use the presence of assets (HTTP file system) as an indicator that the web UI has been enabled.
… the expiration error message for errors other than not found
kimlisa
requested review from
a-palchikov,
alex-kovoy,
awly,
fspmarshall,
klizhentas,
r0mant,
russjones and
webvictim
as code owners
| defaultExpiry := req.SwitchBackDefaults.Expires | ||
|
|
||
| if err := utils.StringSliceSubset(roles, defaultRoles); err != nil { | ||
| return nil, trace.Wrap(err) |
There was a problem hiding this comment.
The function's error message will be pretty generic - we should amend the message to include the relevant bits about role mismatch.
| } | ||
|
|
||
| roles = req.SwitchBackDefaults.Roles | ||
| expiresAt = req.SwitchBackDefaults.Expires |
There was a problem hiding this comment.
Does that have to take the current session's expiration into account? I don't have a full context on the switching back to defaults (is it what it is?), so I'm wondering whether it's possible that request.SwitchBackDefaults.Expires > session.Expires?
| @@ -1518,6 +1531,28 @@ func (s *TLSSuite) TestWebSessionWithApprovedAccessRequest(c *check.C) { | |||
|
|
|||
| _, hasRole = mappedRole["test-request-role"] | |||
| c.Assert(hasRole, check.Equals, true) | |||
|
|
|||
| // Test swtich back to default role and expiry. | |||
There was a problem hiding this comment.
Can you add this as an additional test case? Usually, the old tests are not changed if the base functionality was not modified to render it invalid. It would be additionally helpful to have as minimal test case as possible, sometimes the tests grow to become cumbersome to read and know what's being tested.
| SwitchBackDefaults *WebSession `json:"session"` | ||
| } | ||
|
|
||
| // WebSession defines fields describing a session expiration and roles assigned to it. |
There was a problem hiding this comment.
WebSession is a pretty generic name. How does this differ from the WebSession from the API types package? As this is used to represent the attributes of the original web session used to switch user back to their defaults, I would try to keep this meaning as part of the type.
| type createWebSessionReq struct { | ||
| PrevSessionID string `json:"prev_session_id"` | ||
| // CreateWebSessionReq defines fields for requesting to create new web session. | ||
| type CreateWebSessionReq struct { |
There was a problem hiding this comment.
This is used to extend a web session, ExtendWebSessionRequest could be a more apt name.
| @@ -1875,6 +1873,14 @@ func TestWebSessionsRenew(t *testing.T) { | |||
| prevSessionID := decodeSessionCookie(t, prevSessionCookie.Value) | |||
| activeSessionID := decodeSessionCookie(t, sessionCookie.Value) | |||
| require.NotEmpty(t, cmp.Diff(prevSessionID, activeSessionID)) | |||
| require.NotEmpty(t, cmp.Diff(pack.session.ExpiresIn, newPack.session.ExpiresIn)) | |||
There was a problem hiding this comment.
Is this accurate? I think the session expiration should be the same.
| @@ -1518,6 +1531,28 @@ func (s *TLSSuite) TestWebSessionWithApprovedAccessRequest(c *check.C) { | |||
|
|
|||
| _, hasRole = mappedRole["test-request-role"] | |||
| c.Assert(hasRole, check.Equals, true) | |||
|
|
|||
| // Test swtich back to default role and expiry. | |||
There was a problem hiding this comment.
| // Test swtich back to default role and expiry. | |
| // Test switch back to default role and expiry. |
|
|
||
| s := auth.WebSession{ | ||
| Expires: newPack.session.Session.Expires, | ||
| Roles: []string{"foo"}, |
There was a problem hiding this comment.
I don't really understand how this is working here.
There's a number of access request test cases in auth/tls_test.go - is there any intersection with this? Do you have to test this here as well?
| requestID := params.ByName("requestId") | ||
| req := &renewSessionRequest{} | ||
| if r.Body != http.NoBody { | ||
| if err := httplib.ReadJSON(r, &req); err != nil { |
There was a problem hiding this comment.
nit: this should not use the address of the pointer, I don't see a reason for indirection. Just use a local value of type renewSessionRequest:
var req renewSessionRequest
a-palchikov
force-pushed
the
dmitri/web-ui-disconnects
branch
3 times, most recently
from
2b8de2e
to
b82abfa
Compare
part of #4937
TODO: update apiserver_test.go, after base branch is merged
Description
For UI users, allow user to switch back to default from assuming access requests, by web client calling renewSession, that also now accepts values of session expiration and roles (these are saved in the browser on first session creation after login)
renewSessionRequestobject to read from request in renew sessionExtendWebSessionto accept a request struct that contains session informationSessionfield to session responses, that returns session expiration time and roles assigned