teleport/lib/web/app/session.go

/*
Copyright 2020 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package app

import (
	"context"
	"sync"
	"time"

	"github.com/gravitational/teleport/api/types"
	"github.com/gravitational/teleport/lib/defaults"
	"github.com/gravitational/teleport/lib/tlsca"

	"github.com/gravitational/trace"
	"github.com/gravitational/ttlmap"

	"github.com/gravitational/oxy/forward"
	"github.com/sirupsen/logrus"
)

// session holds a request forwarder and web session for this request.
type session struct {
	// fwd can rewrite and forward requests to the target application.
	fwd *forward.Forwarder
	// ws represents the services.WebSession this requests belongs to.
	ws types.WebSession
}

// newSession creates a new session.
func (h *Handler) newSession(ctx context.Context, ws types.WebSession) (*session, error) {
	// Extract the identity of the user.
	certificate, err := tlsca.ParseCertificatePEM(ws.GetTLSCert())
	if err != nil {
		return nil, trace.Wrap(err)
	}
	identity, err := tlsca.FromSubject(certificate.Subject, certificate.NotAfter)
	if err != nil {
		return nil, trace.Wrap(err)
	}

	// Query the cluster this application is running in to find the public
	// address and cluster name pair which will be encoded into the certificate.
	clusterClient, err := h.c.ProxyClient.GetSite(identity.RouteToApp.ClusterName)
	if err != nil {
		return nil, trace.Wrap(err)
	}
	accessPoint, err := clusterClient.CachingAccessPoint()
	if err != nil {
		return nil, trace.Wrap(err)
	}
	server, err := Match(ctx, accessPoint, MatchPublicAddr(identity.RouteToApp.PublicAddr))
	if err != nil {
		return nil, trace.Wrap(err)
	}

	// Create a rewriting transport that will be used to forward requests.
	transport, err := newTransport(&transportConfig{
		proxyClient:  h.c.ProxyClient,
		accessPoint:  h.c.AccessPoint,
		cipherSuites: h.c.CipherSuites,
		identity:     identity,
		server:       server,
		ws:           ws,
		clusterName:  h.clusterName,
	})
	if err != nil {
		return nil, trace.Wrap(err)
	}
	fwd, err := forward.New(
		forward.FlushInterval(100*time.Millisecond),
		forward.RoundTripper(transport),
		forward.Logger(h.log),
		forward.PassHostHeader(true),
		forward.WebsocketDial(transport.dialer),
	)
	if err != nil {
		return nil, trace.Wrap(err)
	}

	return &session{
		fwd: fwd,
		ws:  ws,
	}, nil
}

// sessionCache holds a cache of sessions that are used to forward requests.
type sessionCache struct {
	mu    sync.Mutex
	cache *ttlmap.TTLMap

	closeContext context.Context

	log *logrus.Entry
}

// newSessionCache creates a new session cache.
func newSessionCache(ctx context.Context, log *logrus.Entry) (*sessionCache, error) {
	var err error

	s := &sessionCache{
		closeContext: ctx,
		log:          log,
	}

	// Cache of request forwarders. Set an expire function that can be used to
	// close any open resources.
	s.cache, err = ttlmap.New(defaults.ClientCacheSize)
	if err != nil {
		return nil, trace.Wrap(err)
	}
	go s.expireSessions()

	return s, nil
}

// cacheGet will fetch the forwarder from the cache.
func (s *sessionCache) get(key string) (*session, error) {
	s.mu.Lock()
	defer s.mu.Unlock()

	if f, ok := s.cache.Get(key); ok {
		if fwd, fok := f.(*session); fok {
			return fwd, nil
		}
		return nil, trace.BadParameter("invalid type stored in cache: %T", f)
	}
	return nil, trace.NotFound("forwarder not found")
}

// cacheSet will add the forwarder to the cache.
func (s *sessionCache) set(key string, value *session, ttl time.Duration) error {
	s.mu.Lock()
	defer s.mu.Unlock()

	if err := s.cache.Set(key, value, ttl); err != nil {
		return trace.Wrap(err)
	}
	return nil
}

// expireSessions ticks every second trying to close expired sessions.
func (s *sessionCache) expireSessions() {
	ticker := time.NewTicker(time.Second)
	defer ticker.Stop()

	for {
		select {
		case <-ticker.C:
			s.expireSession()
		case <-s.closeContext.Done():
			return
		}
	}
}

// expiredSession tries to expire sessions in the cache.
func (s *sessionCache) expireSession() {
	s.mu.Lock()
	defer s.mu.Unlock()

	s.cache.RemoveExpired(10)
}
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application. 2020-10-19 00:09:29 +00:00			`/*`
			`Copyright 2020 Gravitational, Inc.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package app`

			`import (`
			`"context"`
			`"sync"`
			`"time"`

rollback - Upgrade api version. (#7751) 2021-07-30 22:34:19 +00:00			`"github.com/gravitational/teleport/api/types"`
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application. 2020-10-19 00:09:29 +00:00			`"github.com/gravitational/teleport/lib/defaults"`
			`"github.com/gravitational/teleport/lib/tlsca"`

			`"github.com/gravitational/trace"`
			`"github.com/gravitational/ttlmap"`

			`"github.com/gravitational/oxy/forward"`
			`"github.com/sirupsen/logrus"`
			`)`

			`// session holds a request forwarder and web session for this request.`
			`type session struct {`
			`// fwd can rewrite and forward requests to the target application.`
			`fwd *forward.Forwarder`
			`// ws represents the services.WebSession this requests belongs to.`
Remove API aliases (#6983) 2021-06-04 20:29:31 +00:00			`ws types.WebSession`
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application. 2020-10-19 00:09:29 +00:00			`}`

			`// newSession creates a new session.`
Remove API aliases (#6983) 2021-06-04 20:29:31 +00:00			`func (h Handler) newSession(ctx context.Context, ws types.WebSession) (session, error) {`
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application. 2020-10-19 00:09:29 +00:00			`// Extract the identity of the user.`
			`certificate, err := tlsca.ParseCertificatePEM(ws.GetTLSCert())`
			`if err != nil {`
			`return nil, trace.Wrap(err)`
			`}`
			`identity, err := tlsca.FromSubject(certificate.Subject, certificate.NotAfter)`
			`if err != nil {`
			`return nil, trace.Wrap(err)`
			`}`

			`// Query the cluster this application is running in to find the public`
			`// address and cluster name pair which will be encoded into the certificate.`
			`clusterClient, err := h.c.ProxyClient.GetSite(identity.RouteToApp.ClusterName)`
			`if err != nil {`
			`return nil, trace.Wrap(err)`
			`}`
			`accessPoint, err := clusterClient.CachingAccessPoint()`
			`if err != nil {`
			`return nil, trace.Wrap(err)`
			`}`
Introduce app server and app resources (#8140) 2021-09-09 21:19:02 +00:00			`server, err := Match(ctx, accessPoint, MatchPublicAddr(identity.RouteToApp.PublicAddr))`
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application. 2020-10-19 00:09:29 +00:00			`if err != nil {`
			`return nil, trace.Wrap(err)`
			`}`

			`// Create a rewriting transport that will be used to forward requests.`
			`transport, err := newTransport(&transportConfig{`
			`proxyClient: h.c.ProxyClient,`
			`accessPoint: h.c.AccessPoint,`
			`cipherSuites: h.c.CipherSuites,`
			`identity: identity,`
			`server: server,`
			`ws: ws,`
			`clusterName: h.clusterName,`
			`})`
			`if err != nil {`
			`return nil, trace.Wrap(err)`
			`}`
			`fwd, err := forward.New(`
Set flush interval when forwarding application http requests (#8359) Signed-off-by: Roman Tkachenko <roman@gravitational.com> Co-authored-by: Stefan Sedich <stefan.sedich@gmail.com> 2021-09-28 22:16:57 +00:00			`forward.FlushInterval(100*time.Millisecond),`
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application. 2020-10-19 00:09:29 +00:00			`forward.RoundTripper(transport),`
Fix AAP headers injection 2021-03-01 14:14:46 +00:00			`forward.Logger(h.log),`
			`forward.PassHostHeader(true),`
Fix app access websockets support (#6072) 2021-03-22 15:56:44 +00:00			`forward.WebsocketDial(transport.dialer),`
Fix AAP headers injection 2021-03-01 14:14:46 +00:00			`)`
Added Application Access. Added support for an identity aware, RBAC enforcing, mutually authenticated, web application proxy to Teleport. * Updated services.Server to support an application servers. * Updated services.WebSession to support application sessions. * Added CRUD RPCs for "AppServers". * Added CRUD RPCs for "AppSessions". * Added RBAC support using labels for applications. * Added JWT signer as a services.CertAuthority type. * Added support for signing and verifying JWT tokens. * Refactored dynamic label and heartbeat code into standalone packages. * Added application support to web proxies and new "app_service" to proxy mutually authenticated connections from proxy to an internal application. 2020-10-19 00:09:29 +00:00			`if err != nil {`
			`return nil, trace.Wrap(err)`
			`}`

			`return &session{`
			`fwd: fwd,`
			`ws: ws,`
			`}, nil`
			`}`

			`// sessionCache holds a cache of sessions that are used to forward requests.`
			`type sessionCache struct {`
			`mu sync.Mutex`
			`cache *ttlmap.TTLMap`

			`closeContext context.Context`

			`log *logrus.Entry`
			`}`

			`// newSessionCache creates a new session cache.`
			`func newSessionCache(ctx context.Context, log logrus.Entry) (sessionCache, error) {`
			`var err error`

			`s := &sessionCache{`
			`closeContext: ctx,`
			`log: log,`
			`}`

			`// Cache of request forwarders. Set an expire function that can be used to`
			`// close any open resources.`
			`s.cache, err = ttlmap.New(defaults.ClientCacheSize)`
			`if err != nil {`
			`return nil, trace.Wrap(err)`
			`}`
			`go s.expireSessions()`

			`return s, nil`
			`}`

			`// cacheGet will fetch the forwarder from the cache.`
			`func (s sessionCache) get(key string) (session, error) {`
			`s.mu.Lock()`
			`defer s.mu.Unlock()`

			`if f, ok := s.cache.Get(key); ok {`
			`if fwd, fok := f.(*session); fok {`
			`return fwd, nil`
			`}`
			`return nil, trace.BadParameter("invalid type stored in cache: %T", f)`
			`}`
			`return nil, trace.NotFound("forwarder not found")`
			`}`

			`// cacheSet will add the forwarder to the cache.`
			`func (s sessionCache) set(key string, value session, ttl time.Duration) error {`
			`s.mu.Lock()`
			`defer s.mu.Unlock()`

			`if err := s.cache.Set(key, value, ttl); err != nil {`
			`return trace.Wrap(err)`
			`}`
			`return nil`
			`}`

			`// expireSessions ticks every second trying to close expired sessions.`
			`func (s *sessionCache) expireSessions() {`
			`ticker := time.NewTicker(time.Second)`
			`defer ticker.Stop()`

			`for {`
			`select {`
			`case <-ticker.C:`
			`s.expireSession()`
			`case <-s.closeContext.Done():`
			`return`
			`}`
			`}`
			`}`

			`// expiredSession tries to expire sessions in the cache.`
			`func (s *sessionCache) expireSession() {`
			`s.mu.Lock()`
			`defer s.mu.Unlock()`

			`s.cache.RemoveExpired(10)`
			`}`