From ae3a9e32cfe750db165865c5ca1cf595c3dc7362 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Wed, 7 Oct 2020 21:30:44 -0400 Subject: [PATCH] Remove proxy command You can now use -authz-token in `boundary connect` which also allows using the connect subcommands when you already have a token. --- internal/cmd/commands.go | 6 - internal/cmd/commands/proxy/proxy.go | 128 +++++++----------- .../api/resources/targets/target.pb.go | 85 +++++++----- .../api/resources/targets/v1/target.proto | 3 + .../handlers/targets/target_service.go | 1 + 5 files changed, 101 insertions(+), 122 deletions(-) diff --git a/internal/cmd/commands.go b/internal/cmd/commands.go index df5c4d5572..d2bc93c26b 100644 --- a/internal/cmd/commands.go +++ b/internal/cmd/commands.go @@ -53,12 +53,6 @@ func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) { SigUSR2Ch: MakeSigUSR2Ch(), }, nil }, - "proxy": func() (cli.Command, error) { - return &proxy.Command{ - Command: base.NewCommand(ui), - Func: "proxy", - }, nil - }, "connect": func() (cli.Command, error) { return &proxy.Command{ Command: base.NewCommand(ui), diff --git a/internal/cmd/commands/proxy/proxy.go b/internal/cmd/commands/proxy/proxy.go index 7b5d1dd995..de765ebbb1 100644 --- a/internal/cmd/commands/proxy/proxy.go +++ b/internal/cmd/commands/proxy/proxy.go @@ -61,7 +61,7 @@ var _ cli.CommandAutocomplete = (*Command)(nil) type Command struct { *base.Command - flagAuthz string + flagAuthzToken string flagListenAddr string flagListenPort int flagTargetId string @@ -87,7 +87,7 @@ type Command struct { Func string - sessionAuthz *targets.SessionAuthorization + sessionAuthzData *targetspb.SessionAuthorizationData connWg *sync.WaitGroup listenerCloseOnce sync.Once @@ -103,10 +103,8 @@ type Command struct { func (c *Command) Synopsis() string { switch c.Func { - case "proxy": - return "Launch the Boundary CLI in proxy mode" case "connect": - return "Authorize a session against a target and launch a proxied connection" + return "Authorize a session against a target (or consume an existing authorization token) and launch a proxied connection" case "http": return "Authorize a session against a target and invoke an HTTP client to connect" case "ssh": @@ -121,22 +119,11 @@ func (c *Command) Synopsis() string { func (c *Command) Help() string { switch c.Func { - case "proxy": - return base.WrapForHelpText([]string{ - "Usage: boundary proxy [options] [args]", - "", - " This command allows launching the Boundary CLI in proxy mode. In this mode, the CLI expects to take in an authorization string returned from a Boundary controller. The CLI will then create a connection to a Boundary worker and ready a listening port for a local connection.", - "", - " Example:", - "", - ` $ boundary proxy -auth "UgxzX29mVEpwNUt6QlGiAQ..."`, - }) + c.Flags().Help() - case "connect": return base.WrapForHelpText([]string{ "Usage: boundary connect [options] [args]", "", - ` This command performs a target authorization and proxy launch in one command; it is equivalent to sending the output of "boundary targets authorize-session" into "boundary proxy". See the help output for those commands for more information.`, + ` This command performs a target authorization (or consumes an existing authorization token) and launches a proxied connection.`, "", " Example:", "", @@ -154,41 +141,23 @@ func (c *Command) Flags() *base.FlagSets { set := c.FlagSet(bits) switch c.Func { - case "proxy": - f := set.NewFlagSet("Proxy Options") - - f.StringVar(&base.StringVar{ - Name: "authz", - Target: &c.flagAuthz, - EnvVar: "BOUNDARY_PROXY_AUTHZ", - Completion: complete.PredictAnything, - Usage: `The authorization string returned from the Boundary controller. If set to "-", the command will attempt to read in the authorization string from standard input.`, - }) + case "connect", "http", "ssh", "rdp", "postgres": + f := set.NewFlagSet("Connect Options") f.StringVar(&base.StringVar{ - Name: "listen-addr", - Target: &c.flagListenAddr, - EnvVar: "BOUNDARY_PROXY_LISTEN_ADDR", - Completion: complete.PredictAnything, - Usage: `If set, the CLI will attempt to bind its listening address to the given value, which must be an IP address. If it cannot, the command will error. If not set, defaults to the IPv4 loopback address (127.0.0.1).`, - }) - - f.IntVar(&base.IntVar{ - Name: "listen-port", - Target: &c.flagListenPort, - EnvVar: "BOUNDARY_PROXY_LISTEN_PORT", - Completion: complete.PredictAnything, - Usage: `If set, the CLI will attempt to bind its listening port to the given value. If it cannot, the command will error.`, + Name: "authz-token", + Target: &c.flagAuthzToken, + EnvVar: "BOUNDARY_CONNECT_AUTHZ_TOKEN", + Completion: complete.PredictNothing, + Usage: `Only needed if -target-id is not set. The authorization string returned from the Boundary controller via an "authorize-session" action against a target. If set to "-", the command will attempt to read in the authorization string from standard input.`, }) - case "connect", "http", "ssh", "rdp", "postgres": - f := set.NewFlagSet("Connect Options") - f.StringVar(&base.StringVar{ Name: "target-id", Target: &c.flagTargetId, - Usage: "The ID of the target to authorize against.", + Usage: "The ID of the target to authorize against. Cannot be used with -authz-token.", }) + f.StringVar(&base.StringVar{ Name: "host-id", Target: &c.flagHostId, @@ -318,15 +287,6 @@ func (c *Command) Flags() *base.FlagSets { }) } - /* - f.BoolVar(&base.BoolVar{ - Name: "verbose", - Target: &c.flagVerbose, - Completion: complete.PredictAnything, - Usage: "Turns on some extra verbosity in the command output.", - }) - */ - return set } @@ -354,6 +314,15 @@ func (c *Command) Run(args []string) (retCode int) { return 1 } + switch { + case c.flagAuthzToken != "" && c.flagTargetId != "": + c.UI.Error(`-target-id and -authz-token cannot both be specified`) + return 1 + case c.flagAuthzToken == "" && c.flagTargetId == "": + c.UI.Error(`One of -target-id and -authz-token must be set`) + return 1 + } + switch c.Func { case "http": if c.flagExec == "" { @@ -406,9 +375,9 @@ func (c *Command) Run(args []string) (retCode int) { return 1 } - authzString := c.flagAuthz - switch c.Func { - case "proxy": + authzString := c.flagAuthzToken + switch { + case authzString != "": if authzString == "-" { authBytes, err := ioutil.ReadAll(os.Stdin) if err != nil { @@ -430,18 +399,13 @@ func (c *Command) Run(args []string) (retCode int) { if authzString[0] == '{' { // Attempt to decode the JSON output of an authorize-session call // and pull the token out of there - c.sessionAuthz = new(targets.SessionAuthorization) - if err := json.Unmarshal([]byte(authzString), c.sessionAuthz); err == nil { - authzString = c.sessionAuthz.AuthorizationToken + sessionAuthz := new(targets.SessionAuthorization) + if err := json.Unmarshal([]byte(authzString), sessionAuthz); err == nil { + authzString = sessionAuthz.AuthorizationToken } } - case "connect", "http", "ssh", "postgres", "rdp": - if c.flagTargetId == "" { - c.UI.Error("Target ID must be provided") - return 1 - } - + default: client, err := c.Client() if err != nil { c.UI.Error(fmt.Sprintf("Error creating API client: %s", err.Error())) @@ -463,8 +427,7 @@ func (c *Command) Run(args []string) (retCode int) { c.UI.Error(fmt.Sprintf("Error trying to authorize a session against target: %s", err.Error())) return 2 } - c.sessionAuthz = sar.GetItem().(*targets.SessionAuthorization) - authzString = c.sessionAuthz.AuthorizationToken + authzString = sar.GetItem().(*targets.SessionAuthorization).AuthorizationToken } marshaled, err := base58.FastBase58Decoding(authzString) @@ -477,21 +440,21 @@ func (c *Command) Run(args []string) (retCode int) { return 1 } - data := new(targetspb.SessionAuthorizationData) - if err := proto.Unmarshal(marshaled, data); err != nil { + c.sessionAuthzData = new(targetspb.SessionAuthorizationData) + if err := proto.Unmarshal(marshaled, c.sessionAuthzData); err != nil { c.UI.Error(fmt.Errorf("Unable to proto-decode authorization data: %w", err).Error()) return 1 } - if len(data.GetWorkerInfo()) == 0 { + if len(c.sessionAuthzData.GetWorkerInfo()) == 0 { c.UI.Error("No workers found in authorization string") return 1 } - c.connectionsLeft.Store(data.ConnectionLimit) - workerAddr := data.GetWorkerInfo()[0].GetAddress() + c.connectionsLeft.Store(c.sessionAuthzData.ConnectionLimit) + workerAddr := c.sessionAuthzData.GetWorkerInfo()[0].GetAddress() - parsedCert, err := x509.ParseCertificate(data.Certificate) + parsedCert, err := x509.ParseCertificate(c.sessionAuthzData.Certificate) if err != nil { c.UI.Error(fmt.Errorf("Unable to decode mTLS certificate: %w", err).Error()) return 1 @@ -516,8 +479,8 @@ func (c *Command) Run(args []string) (retCode int) { tlsConf := &tls.Config{ Certificates: []tls.Certificate{ { - Certificate: [][]byte{data.Certificate}, - PrivateKey: ed25519.PrivateKey(data.PrivateKey), + Certificate: [][]byte{c.sessionAuthzData.Certificate}, + PrivateKey: ed25519.PrivateKey(c.sessionAuthzData.PrivateKey), Leaf: parsedCert, }, }, @@ -564,8 +527,8 @@ func (c *Command) Run(args []string) (retCode int) { Address: c.listenerAddr.IP.String(), Port: c.listenerAddr.Port, Expiration: c.expiration, - ConnectionLimit: data.GetConnectionLimit(), - SessionId: data.GetSessionId(), + ConnectionLimit: c.sessionAuthzData.GetConnectionLimit(), + SessionId: c.sessionAuthzData.GetSessionId(), } switch base.Format(c.UI) { @@ -742,7 +705,14 @@ func (c *Command) handleConnection( c.connsLeftCh <- 0 return errors.New("Unable to authorize connection") } - return fmt.Errorf("error reading handshake result: %w", err) + switch { + case strings.Contains(err.Error(), "tofu token not allowed"): + // Nothing will be able to be done here, so cancel the context too + c.proxyCancel() + return errors.New("Session is already in use") + default: + return fmt.Errorf("error reading handshake result: %w", err) + } } if handshakeResult.GetConnectionsLeft() != -1 { @@ -829,7 +799,7 @@ func (c *Command) handleExec(passthroughArgs []string) { switch c.flagSshStyle { case "ssh": args = append(args, "-p", port, ip) - args = append(args, "-o", fmt.Sprintf("HostKeyAlias=%s", c.sessionAuthz.HostId)) + args = append(args, "-o", fmt.Sprintf("HostKeyAlias=%s", c.sessionAuthzData.HostId)) case "putty": args = append(args, "-P", port, ip) } diff --git a/internal/gen/controller/api/resources/targets/target.pb.go b/internal/gen/controller/api/resources/targets/target.pb.go index 5318459f76..adec3e42e6 100644 --- a/internal/gen/controller/api/resources/targets/target.pb.go +++ b/internal/gen/controller/api/resources/targets/target.pb.go @@ -374,6 +374,8 @@ type SessionAuthorizationData struct { Certificate []byte `protobuf:"bytes,120,opt,name=certificate,proto3" json:"certificate,omitempty"` // Output only. The private key to use when connecting. We are using Ed25519, so this is purely raw bytes, no marshaling. PrivateKey []byte `protobuf:"bytes,130,opt,name=private_key,proto3" json:"private_key,omitempty"` + // Output only. The host ID...not used for security purposes, but for some special command handling (e.g. ssh host key aliasing). + HostId string `protobuf:"bytes,140,opt,name=host_id,json=hostId,proto3" json:"host_id,omitempty"` // Output only. Worker information. The first worker in the array should be prioritized. WorkerInfo []*WorkerInfo `protobuf:"bytes,150,rep,name=worker_info,proto3" json:"worker_info,omitempty"` } @@ -466,6 +468,13 @@ func (x *SessionAuthorizationData) GetPrivateKey() []byte { return nil } +func (x *SessionAuthorizationData) GetHostId() string { + if x != nil { + return x.HostId + } + return "" +} + func (x *SessionAuthorizationData) GetWorkerInfo() []*WorkerInfo { if x != nil { return x.WorkerInfo @@ -687,7 +696,7 @@ var file_controller_api_resources_targets_v1_target_proto_rawDesc = []byte{ 0x6f, 0x72, 0x74, 0x52, 0x0c, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x22, 0x26, 0x0a, 0x0a, 0x57, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0xb6, 0x03, 0x0a, 0x18, 0x53, 0x65, + 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0xd0, 0x03, 0x0a, 0x18, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x65, 0x73, 0x73, @@ -709,42 +718,44 @@ var file_controller_api_resources_targets_v1_target_proto_rawDesc = []byte{ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x78, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x21, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x82, 0x01, 0x20, 0x01, 0x28, - 0x0c, 0x52, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x52, - 0x0a, 0x0b, 0x77, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x96, 0x01, - 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, - 0x72, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, - 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x65, - 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x0b, 0x77, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x5f, 0x69, 0x6e, - 0x66, 0x6f, 0x22, 0xf5, 0x02, 0x0a, 0x14, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x75, - 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, 0x73, - 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x74, - 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, - 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x12, 0x43, 0x0a, 0x05, 0x73, 0x63, 0x6f, - 0x70, 0x65, 0x18, 0x1e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, - 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x73, 0x2e, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x63, - 0x6f, 0x70, 0x65, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x3e, - 0x0a, 0x0c, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x28, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, - 0x52, 0x0c, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x18, - 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x32, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x68, 0x6f, 0x73, 0x74, - 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x3c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x68, - 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x68, 0x6f, - 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x46, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x68, 0x6f, 0x73, - 0x74, 0x5f, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x50, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x30, 0x0a, 0x13, 0x61, 0x75, 0x74, 0x68, - 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, - 0x5a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x55, 0x5a, 0x53, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, - 0x72, 0x70, 0x2f, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x61, 0x72, 0x79, 0x2f, 0x69, 0x6e, 0x74, 0x65, - 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, - 0x6c, 0x65, 0x72, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, - 0x73, 0x2f, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x3b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, - 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x0c, 0x52, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x12, 0x18, + 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x8c, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x06, 0x68, 0x6f, 0x73, 0x74, 0x49, 0x64, 0x12, 0x52, 0x0a, 0x0b, 0x77, 0x6f, 0x72, 0x6b, + 0x65, 0x72, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x96, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, + 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, 0x61, 0x70, 0x69, 0x2e, + 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, + 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x49, 0x6e, 0x66, 0x6f, 0x52, + 0x0b, 0x77, 0x6f, 0x72, 0x6b, 0x65, 0x72, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x22, 0xf5, 0x02, 0x0a, + 0x14, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1e, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, + 0x5f, 0x69, 0x64, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, + 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, + 0x69, 0x64, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, + 0x5f, 0x69, 0x64, 0x12, 0x43, 0x0a, 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x1e, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, + 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, 0x73, 0x63, + 0x6f, 0x70, 0x65, 0x73, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x49, 0x6e, 0x66, + 0x6f, 0x52, 0x05, 0x73, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x3e, 0x0a, 0x0c, 0x63, 0x72, 0x65, 0x61, + 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x28, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0c, 0x63, 0x72, 0x65, 0x61, + 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, + 0x5f, 0x69, 0x64, 0x18, 0x32, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, + 0x69, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x74, 0x5f, 0x69, + 0x64, 0x18, 0x3c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x65, + 0x74, 0x5f, 0x69, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, + 0x46, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x12, 0x12, + 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x50, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, + 0x70, 0x65, 0x12, 0x30, 0x0a, 0x13, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x5a, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x13, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, + 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x55, 0x5a, 0x53, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x62, 0x6f, 0x75, + 0x6e, 0x64, 0x61, 0x72, 0x79, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x67, + 0x65, 0x6e, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x61, 0x70, + 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2f, 0x74, 0x61, 0x72, 0x67, + 0x65, 0x74, 0x73, 0x3b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( diff --git a/internal/proto/local/controller/api/resources/targets/v1/target.proto b/internal/proto/local/controller/api/resources/targets/v1/target.proto index d367d59714..e63f709155 100644 --- a/internal/proto/local/controller/api/resources/targets/v1/target.proto +++ b/internal/proto/local/controller/api/resources/targets/v1/target.proto @@ -102,6 +102,9 @@ message SessionAuthorizationData { // Output only. The private key to use when connecting. We are using Ed25519, so this is purely raw bytes, no marshaling. bytes private_key = 130 [json_name="private_key"]; + // Output only. The host ID...not used for security purposes, but for some special command handling (e.g. ssh host key aliasing). + string host_id = 140; + // Output only. Worker information. The first worker in the array should be prioritized. repeated WorkerInfo worker_info = 150 [json_name="worker_info"]; } diff --git a/internal/servers/controller/handlers/targets/target_service.go b/internal/servers/controller/handlers/targets/target_service.go index fe4ddd35c4..d05a92cc5b 100644 --- a/internal/servers/controller/handlers/targets/target_service.go +++ b/internal/servers/controller/handlers/targets/target_service.go @@ -396,6 +396,7 @@ HostSetIterationLoop: Type: t.GetType(), Certificate: sess.Certificate, PrivateKey: privKey, + HostId: chosenId.hostId, WorkerInfo: workers, ConnectionLimit: t.GetSessionConnectionLimit(), }