From 6178dd516e81e84c732cb700a2c7ecc6ccc167af Mon Sep 17 00:00:00 2001 From: Todd Date: Thu, 25 May 2023 15:52:03 -0700 Subject: [PATCH] Let a target subtype validate the authorize session's session state --- .../controller/handlers/targets/registry.go | 22 +++++++++++++------ .../handlers/targets/target_service.go | 9 ++++++++ .../controller/handlers/targets/tcp/tcp.go | 6 ++++- 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/internal/daemon/controller/handlers/targets/registry.go b/internal/daemon/controller/handlers/targets/registry.go index 3ca943f5f8..b2420baa46 100644 --- a/internal/daemon/controller/handlers/targets/registry.go +++ b/internal/daemon/controller/handlers/targets/registry.go @@ -4,10 +4,12 @@ package targets import ( + "context" "fmt" "sync" "github.com/hashicorp/boundary/internal/daemon/controller/handlers" + "github.com/hashicorp/boundary/internal/session" "github.com/hashicorp/boundary/internal/target" "github.com/hashicorp/boundary/internal/types/subtypes" pb "github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/targets" @@ -35,10 +37,15 @@ type attributeFunc func(any) Attributes type setAttributeFunc func(target.Target, *pb.Target) error +// validateSessionStateFunc validates a session's state for the specific target +// type. +type validateSessionStateFunc func(context.Context, *session.Session) error + type registryEntry struct { - maskManager handlers.MaskManager - attrFunc attributeFunc - setAttrFunc setAttributeFunc + maskManager handlers.MaskManager + attrFunc attributeFunc + setAttrFunc setAttributeFunc + validateSessionStateFunc validateSessionStateFunc } type registry struct { @@ -99,11 +106,12 @@ var subtypeRegistry = registry{ } // Register registers a subtype for used by the service handler. -func Register(s subtypes.Subtype, maskManager handlers.MaskManager, af attributeFunc, sf setAttributeFunc) { +func Register(s subtypes.Subtype, maskManager handlers.MaskManager, af attributeFunc, sf setAttributeFunc, vsf validateSessionStateFunc) { if _, existed := subtypeRegistry.LoadOrStore(s, ®istryEntry{ - maskManager: maskManager, - attrFunc: af, - setAttrFunc: sf, + maskManager: maskManager, + attrFunc: af, + setAttrFunc: sf, + validateSessionStateFunc: vsf, }); existed { panic(fmt.Sprintf("subtype %s already registered", s)) } diff --git a/internal/daemon/controller/handlers/targets/target_service.go b/internal/daemon/controller/handlers/targets/target_service.go index 7a5420c671..813edee18a 100644 --- a/internal/daemon/controller/handlers/targets/target_service.go +++ b/internal/daemon/controller/handlers/targets/target_service.go @@ -970,6 +970,15 @@ func (s Service) AuthorizeSession(ctx context.Context, req *pbs.AuthorizeSession } }() + subtype := target.SubtypeFromId(req.GetId()) + subtypeEntry, err := subtypeRegistry.get(subtype) + if err != nil { + return nil, errors.Wrap(ctx, err, op) + } + if err := subtypeEntry.validateSessionStateFunc(ctx, sess); err != nil { + return nil, errors.Wrap(ctx, err, op) + } + var dynamic []credential.Dynamic var staticCredsById map[string]credential.Static if len(vaultReqs) > 0 { diff --git a/internal/daemon/controller/handlers/targets/tcp/tcp.go b/internal/daemon/controller/handlers/targets/tcp/tcp.go index 8328b2f947..b8f7e2be6d 100644 --- a/internal/daemon/controller/handlers/targets/tcp/tcp.go +++ b/internal/daemon/controller/handlers/targets/tcp/tcp.go @@ -4,11 +4,13 @@ package tcp import ( + "context" "math" "github.com/golang/protobuf/ptypes/wrappers" "github.com/hashicorp/boundary/internal/daemon/controller/handlers" "github.com/hashicorp/boundary/internal/daemon/controller/handlers/targets" + "github.com/hashicorp/boundary/internal/session" "github.com/hashicorp/boundary/internal/target" "github.com/hashicorp/boundary/internal/target/store" "github.com/hashicorp/boundary/internal/target/tcp" @@ -113,6 +115,8 @@ func setAttributes(t target.Target, out *pb.Target) error { return nil } +func noopSessionValidation(context.Context, *session.Session) error { return nil } + func init() { var maskManager handlers.MaskManager var err error @@ -124,5 +128,5 @@ func init() { panic(err) } - targets.Register(tcp.Subtype, maskManager, newAttribute, setAttributes) + targets.Register(tcp.Subtype, maskManager, newAttribute, setAttributes, noopSessionValidation) }