Let a target subtype validate the authorize session's session state

3 years ago · 6178dd516e
parent 9f2c83f3b0
commit 6178dd516e
3 changed files with 29 additions and 8 deletions
--- a/internal/daemon/controller/handlers/targets/registry.go
+++ b/internal/daemon/controller/handlers/targets/registry.go
@ -4,10 +4,12 @@
 package targets

 import (
+	"context"
 	"fmt"
 	"sync"

 	"github.com/hashicorp/boundary/internal/daemon/controller/handlers"
+	"github.com/hashicorp/boundary/internal/session"
 	"github.com/hashicorp/boundary/internal/target"
 	"github.com/hashicorp/boundary/internal/types/subtypes"
 	pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/targets"
@ -35,10 +37,15 @@ type attributeFunc func(any) Attributes

 type setAttributeFunc func(target.Target, *pb.Target) error

+// validateSessionStateFunc validates a session's state for the specific target
+// type.
+type validateSessionStateFunc func(context.Context, *session.Session) error
+
 type registryEntry struct {
-	maskManager handlers.MaskManager
-	attrFunc    attributeFunc
-	setAttrFunc setAttributeFunc
+	maskManager              handlers.MaskManager
+	attrFunc                 attributeFunc
+	setAttrFunc              setAttributeFunc
+	validateSessionStateFunc validateSessionStateFunc
 }

 type registry struct {
@ -99,11 +106,12 @@ var subtypeRegistry = registry{
 }

 // Register registers a subtype for used by the service handler.
-func Register(s subtypes.Subtype, maskManager handlers.MaskManager, af attributeFunc, sf setAttributeFunc) {
+func Register(s subtypes.Subtype, maskManager handlers.MaskManager, af attributeFunc, sf setAttributeFunc, vsf validateSessionStateFunc) {
 	if _, existed := subtypeRegistry.LoadOrStore(s, &registryEntry{
-		maskManager: maskManager,
-		attrFunc:    af,
-		setAttrFunc: sf,
+		maskManager:              maskManager,
+		attrFunc:                 af,
+		setAttrFunc:              sf,
+		validateSessionStateFunc: vsf,
 	}); existed {
 		panic(fmt.Sprintf("subtype %s already registered", s))
 	}
--- a/internal/daemon/controller/handlers/targets/target_service.go
+++ b/internal/daemon/controller/handlers/targets/target_service.go
@ -970,6 +970,15 @@ func (s Service) AuthorizeSession(ctx context.Context, req *pbs.AuthorizeSession
 		}
 	}()

+	subtype := target.SubtypeFromId(req.GetId())
+	subtypeEntry, err := subtypeRegistry.get(subtype)
+	if err != nil {
+		return nil, errors.Wrap(ctx, err, op)
+	}
+	if err := subtypeEntry.validateSessionStateFunc(ctx, sess); err != nil {
+		return nil, errors.Wrap(ctx, err, op)
+	}
+
 	var dynamic []credential.Dynamic
 	var staticCredsById map[string]credential.Static
 	if len(vaultReqs) > 0 {
--- a/internal/daemon/controller/handlers/targets/tcp/tcp.go
+++ b/internal/daemon/controller/handlers/targets/tcp/tcp.go
@ -4,11 +4,13 @@
 package tcp

 import (
+	"context"
 	"math"

 	"github.com/golang/protobuf/ptypes/wrappers"
 	"github.com/hashicorp/boundary/internal/daemon/controller/handlers"
 	"github.com/hashicorp/boundary/internal/daemon/controller/handlers/targets"
+	"github.com/hashicorp/boundary/internal/session"
 	"github.com/hashicorp/boundary/internal/target"
 	"github.com/hashicorp/boundary/internal/target/store"
 	"github.com/hashicorp/boundary/internal/target/tcp"
@ -113,6 +115,8 @@ func setAttributes(t target.Target, out *pb.Target) error {
 	return nil
 }

+func noopSessionValidation(context.Context, *session.Session) error { return nil }
+
 func init() {
 	var maskManager handlers.MaskManager
 	var err error
@ -124,5 +128,5 @@ func init() {
 		panic(err)
 	}

-	targets.Register(tcp.Subtype, maskManager, newAttribute, setAttributes)
+	targets.Register(tcp.Subtype, maskManager, newAttribute, setAttributes, noopSessionValidation)
 }