(7.0) App access client cert auth #5918
Conversation
|
|
||
| // WaitForAppSession will block until the requested application session shows up in the | ||
| // cache or a timeout occurs. | ||
| func WaitForAppSession(ctx context.Context, sessionID, user string, ap AccessPoint) error { |
There was a problem hiding this comment.
@fspmarshall has been putting functions like these into services.
There was a problem hiding this comment.
This function needs an AccessPoint which resides here in auth package so I can't really move it to services without introducing cyclic deps.
There was a problem hiding this comment.
You can create an interface with just GetAppSession and NewWatcher in it.
There was a problem hiding this comment.
Yeah, I tried that and it doesn't work either unfortunately since this method also depends on services/local so it'd be a loop anyway :-/
|
|
||
| // WaitForAppSession will block until the requested application session shows up in the | ||
| // cache or a timeout occurs. | ||
| func WaitForAppSession(ctx context.Context, sessionID, user string, ap AccessPoint) error { |
There was a problem hiding this comment.
You can create an interface with just GetAppSession and NewWatcher in it.
lib/auth/sessions.go
Outdated
| // Check that a matching parent web session exists in the backend. | ||
| parentSession, err := s.GetWebSession(ctx, types.GetWebSessionRequest{ | ||
| User: req.Username, | ||
| SessionID: req.ParentSession, | ||
| }) | ||
| if err != nil { | ||
| return nil, trace.Wrap(err) | ||
| } | ||
|
|
||
| // Don't let the TTL of the child certificate go longer than the parent. | ||
| ttl := checker.AdjustSessionTTL(parentSession.GetExpiryTime().Sub(s.clock.Now())) | ||
| // Don't let the app session go longer than the identity expiration, | ||
| // which matches the parent web session TTL as well. | ||
| ttl := checker.AdjustSessionTTL(identity.Expires.Sub(s.clock.Now())) |
There was a problem hiding this comment.
@r0mant I think this is fine.
Can you update the comment with some more details about why this works for browser based Application Access: browser will send a cookie with sessionID which will be used to fetch services.WebSession which contains a certificate whose life matches the life of the session that will be used to establish the connection.
@awly You might want to review these changes as well.
There was a problem hiding this comment.
Updated the comment.
|
@russjones I've addressed your comments. |
r0mant
force-pushed
the
roman/curl
branch
2 times, most recently
from
2ea7a89
to
6aaa029
Compare
Introduce ability to use application access with client certificates for authentication. Refs #5213.
Here's what the UX looks like.
View registered applications:
Retrieve certificate / init a session for the app:
➜ build/tsh app login debug-root Logged into app "debug-root". Example curl command: curl \ --cacert /Users/r0mant/.tsh/keys/root.gravitational.io/certs.pem \ --cert /Users/r0mant/.tsh/keys/root.gravitational.io/r0mant-app/root/debug-root-x509.pem \ --key /Users/r0mant/.tsh/keys/root.gravitational.io/r0mant \ https://debug-root.gravitational.io:3080View app information:
For automation friendliness, use
--formatto print specific parts of the app config:With this you could do something like: