Skip to content

Commit

Permalink
Respect windows_desktop_labels for dynamic desktops
Browse files Browse the repository at this point in the history
  • Loading branch information
@probakowski
probakowski committed Nov 13, 2024
1 parent 9b2b1fe commit 43397b8
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 2 deletions.
47 changes: 45 additions & 2 deletions lib/auth/dynamicwindows/dynamicwindowsv1/service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ package dynamicwindowsv1

import (
"context"
"github.com/gravitational/teleport/lib/services"
"log/slog"

"github.com/gravitational/trace"
Expand Down Expand Up @@ -108,6 +109,9 @@ func (s *Service) GetDynamicWindowsDesktop(ctx context.Context, request *dynamic
if err != nil {
return nil, trace.Wrap(err)
}
if err := checkAccess(auth, d); err != nil {
return nil, trace.Wrap(err)
}

desktop, ok := d.(*types.DynamicWindowsDesktopV1)
if !ok {
Expand Down Expand Up @@ -136,6 +140,9 @@ func (s *Service) ListDynamicWindowsDesktops(ctx context.Context, request *dynam
NextPageToken: next,
}
for _, d := range desktops {
if err := checkAccess(auth, d); err != nil {
continue
}
desktop, ok := d.(*types.DynamicWindowsDesktopV1)
if !ok {
return nil, trace.BadParameter("unexpected type %T", d)
Expand All @@ -158,6 +165,9 @@ func (s *Service) CreateDynamicWindowsDesktop(ctx context.Context, req *dynamicw
if err := auth.CheckAccessToKind(types.KindDynamicWindowsDesktop, types.VerbCreate); err != nil {
return nil, trace.Wrap(err)
}
if err := checkAccess(auth, req.GetDesktop()); err != nil {
return nil, trace.Wrap(err)
}
d, err := s.backend.CreateDynamicWindowsDesktop(ctx, types.DynamicWindowsDesktop(req.Desktop))
if err != nil {
return nil, trace.Wrap(err)
Expand All @@ -171,6 +181,10 @@ func (s *Service) CreateDynamicWindowsDesktop(ctx context.Context, req *dynamicw
return createdDesktop, nil
}

func checkAccess(auth *authz.Context, desktop types.DynamicWindowsDesktop) error {
return auth.Checker.CheckAccess(desktop, services.AccessState{MFAVerified: true})
}

// UpdateDynamicWindowsDesktop updates an existing dynamic Windows desktop.
func (s *Service) UpdateDynamicWindowsDesktop(ctx context.Context, req *dynamicwindowspb.UpdateDynamicWindowsDesktopRequest) (*types.DynamicWindowsDesktopV1, error) {
auth, err := s.authorizer.Authorize(ctx)
Expand All @@ -183,7 +197,17 @@ func (s *Service) UpdateDynamicWindowsDesktop(ctx context.Context, req *dynamicw
if err := auth.CheckAccessToKind(types.KindDynamicWindowsDesktop, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
d, err := s.backend.UpdateDynamicWindowsDesktop(ctx, req.Desktop)
d, err := s.cache.GetDynamicWindowsDesktop(ctx, req.GetDesktop().GetName())
if err != nil {
return nil, trace.Wrap(err)
}
if err := checkAccess(auth, d); err != nil {
return nil, trace.Wrap(err)
}
if err := checkAccess(auth, req.GetDesktop()); err != nil {
return nil, trace.Wrap(err)
}
d, err = s.backend.UpdateDynamicWindowsDesktop(ctx, req.Desktop)
if err != nil {
return nil, trace.Wrap(err)
}
Expand All @@ -208,7 +232,19 @@ func (s *Service) UpsertDynamicWindowsDesktop(ctx context.Context, req *dynamicw
if err := auth.CheckAccessToKind(types.KindDynamicWindowsDesktop, types.VerbCreate, types.VerbUpdate); err != nil {
return nil, trace.Wrap(err)
}
d, err := s.backend.UpsertDynamicWindowsDesktop(ctx, req.Desktop)
d, err := s.cache.GetDynamicWindowsDesktop(ctx, req.GetDesktop().GetName())
if !trace.IsNotFound(err) {
if err != nil {
return nil, trace.Wrap(err)
}
if err := checkAccess(auth, d); err != nil {
return nil, trace.Wrap(err)
}
}
if err := checkAccess(auth, req.GetDesktop()); err != nil {
return nil, trace.Wrap(err)
}
d, err = s.backend.UpsertDynamicWindowsDesktop(ctx, req.Desktop)
if err != nil {
return nil, trace.Wrap(err)
}
Expand All @@ -233,6 +269,13 @@ func (s *Service) DeleteDynamicWindowsDesktop(ctx context.Context, req *dynamicw
if err := auth.CheckAccessToKind(types.KindDynamicWindowsDesktop, types.VerbDelete); err != nil {
return nil, trace.Wrap(err)
}
d, err := s.cache.GetDynamicWindowsDesktop(ctx, req.GetName())
if err != nil {
return nil, trace.Wrap(err)
}
if err := checkAccess(auth, d); err != nil {
return nil, trace.Wrap(err)
}
if err := s.backend.DeleteDynamicWindowsDesktop(ctx, req.GetName()); err != nil {
return nil, trace.Wrap(err)
}
Expand Down
1 change: 1 addition & 0 deletions lib/services/role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,6 +349,7 @@ func validateRoleExpressions(r types.Role) error {
{"db_labels", types.KindDatabase},
{"db_service_labels", types.KindDatabaseService},
{"windows_desktop_labels", types.KindWindowsDesktop},
{"windows_desktop_labels", types.KindDynamicWindowsDesktop},
{"group_labels", types.KindUserGroup},
} {
labelMatchers, err := r.GetLabelMatchers(condition.condition, labels.kind)
Expand Down

0 comments on commit 43397b8

Please sign in to comment.