Conversation
|
|
||
| ## What | ||
|
|
||
| Approval process to allow file transfers during a web moderated session |
There was a problem hiding this comment.
nit: start off with a verb instead of a noun here, example rephrashing
| Approval process to allow file transfers during a web moderated session | |
| Extend web file transfers to work during moderated web sessions using an approval process. |
|
|
||
| ## Why | ||
|
|
||
| Users have no ability to transfer files if their role requires a moderated session for the specified server, even if they are in an active and "valid" session currently. Originally, we would allow file transfers regardless of moderated sessions which, while good for UX, goes against the purpose of moderated sessions in the first place. We have disabled the functionality but would like to reintroduce it in a secure, moderated, and auditable way. |
There was a problem hiding this comment.
nit: consider line splitting at sentence boundaries or ;'s where it makes sense. It makes it easier for reviewers to make suggestions or select a specific bit of text.
|
|
||
| ## Why | ||
|
|
||
| Users have no ability to transfer files if their role requires a moderated session for the specified server, even if they are in an active and "valid" session currently. Originally, we would allow file transfers regardless of moderated sessions which, while good for UX, goes against the purpose of moderated sessions in the first place. We have disabled the functionality but would like to reintroduce it in a secure, moderated, and auditable way. |
There was a problem hiding this comment.
| Users have no ability to transfer files if their role requires a moderated session for the specified server, even if they are in an active and "valid" session currently. Originally, we would allow file transfers regardless of moderated sessions which, while good for UX, goes against the purpose of moderated sessions in the first place. We have disabled the functionality but would like to reintroduce it in a secure, moderated, and auditable way. | |
| Users have no ability to transfer files if their role requires a moderated session for the specified server, even if they are in an active and launched session currently. Originally, we would allow file transfers regardless of moderated sessions which, while good for UX, goes against the purpose of moderated sessions in the first place. We have disabled the functionality but would like to reintroduce it in a secure, moderated, and auditable way. |
| The proposed flow would look like this (simplified). | ||
| ```mermaid | ||
| sequenceDiagram | ||
| Requester->>SSH Server: Send FileTransferRequest over websocket connection |
There was a problem hiding this comment.
FileTransferRequest over websocket to SSH? How does this make it to the SSH node from the proxy? Maybe add a proxy entity even to this simplified diagram to help illustrate this communication.
i.e requester -> proxy over ws
proxy -> ssh node over async ssh channel req
There was a problem hiding this comment.
Even better, I just replaced the "api server" with proxy since thats what it is anyway. Moved it closer to the requester entity as well.
| ```go | ||
| type FileTransferRequest { | ||
| id string // UUID | ||
| user string |
There was a problem hiding this comment.
os user, teleport user? whom is this in the session context?
There was a problem hiding this comment.
In this context, I would use scx.Identity.TeleportUser... however, maybe a more contextual name would be requestingTeleportUser. Just so it's very clear its the requester and what "kind" of user.
There was a problem hiding this comment.
Yep, a more contextual name is what I wanted. TBH, calling it requester is fine and avoids annoying name size blowup, just throw a comment on the field saying it's a Teleport user so it's obvious on hover.
| user string | ||
| sessionID string | ||
| filePath string | ||
| approvers []*party |
There was a problem hiding this comment.
can we shortly explain what a party is in this context? maybe a participant of peer or moderator type?
There was a problem hiding this comment.
Will update soon. I'm not sure we need to store the entire party yet, but yes, it would be "anyone who is peer or moderator"
|
|
||
| The benefit of storing it on the session, and not in an access-request-like object, is that once the session is gone, so is the approved request. Keeping these approvals as ephemeral as possible is ideal. | ||
|
|
||
| ### the fileTransferChannel |
There was a problem hiding this comment.
Maybe?
| ### the fileTransferChannel | |
| ### Transfer request communication |
|
|
||
| ### Updated file transfer api handler | ||
|
|
||
| Not much will change here. The only difference is adding the `requestID` and `sessionID` as env vars in the `serverContext`. This will allow us to extend our `SessionRegistry.OpenExecSession` method with a new check like `isApprovedRequest` |
There was a problem hiding this comment.
What are these env vars actually named? Constant values? RequestID feels a bit generic as an env var name, maybe something like commandRequestID?
| ## Security Considerations | ||
| Originally, an idea was thrown around to create a "signed" url with all the `FileTransferRequest` information encoded in it but this seemed unnecessary. Because the current flow stores the original request in the session, we aren't giving them full access to open any exec session, just one that matches the exact request that was asked for. Also, having the request stored in the session means that once the session is gone, there isn't a way to "re-request" it. |
There was a problem hiding this comment.
| ## Security Considerations | |
| Originally, an idea was thrown around to create a "signed" url with all the `FileTransferRequest` information encoded in it but this seemed unnecessary. Because the current flow stores the original request in the session, we aren't giving them full access to open any exec session, just one that matches the exact request that was asked for. Also, having the request stored in the session means that once the session is gone, there isn't a way to "re-request" it. | |
| ## Security Considerations | |
| Originally, an idea was thrown around to create a "signed" url with all the `FileTransferRequest` information encoded in it but this seemed unnecessary. Because the current flow stores the original request in the session, we aren't giving them full access to open any exec session, just one that matches the exact request that was asked for. Also, having the request stored in the session means that once the session is gone, there isn't a way to "re-request" it. |
|
|
||
| ## Scope | ||
|
|
||
| This RFD will cover how to implement for web SCP specifically, but may be expanded to SFTP for tsh, although my research has been mostly for web scp. If at anytime there is ambiguity in this RFD for "which type of file transfers does this refer to", default to web scp only. |
There was a problem hiding this comment.
Are we leaving tsh out of scope because it requires a different solution or because we just haven't thought about it yet?
From a design perspective, I think it's important to understand why we're proposing a solution that's only valid for web.
There was a problem hiding this comment.
I believe the backend portion of this solution could be reused for tsh quite easily. I don't have the context yet to decide what the UI/UX would look like for tsh. I can do more research and revisit.
There was a problem hiding this comment.
Commenting a few more notes/thinking out loud.
With the web, the request is outside of the shell and handled via the UI, as well as the approval process. This means the shell isn't blocked by any file transfer requests.
For cli, we can maybe inform the approvers in the cli that someone is requesting a file transfer and implement an approve/deny command, similar to the force-terminate command. I'm not sure how this would scale will multiple file transfer requests at once, but its a thread to pull on.
I think the tsh scp command could function after approval similar to the new file transfer http request optional params by adding two new flags, the --sessionId and --commandRequestId.
I'll continue to ponder.
|
|
||
| #### The FileTransferRequest | ||
|
|
||
| The general idea of the solution is to provide a way for users to "request-a-request" that can be approved by moderators. An example of a file transfer specific struct could look like |
There was a problem hiding this comment.
Will this new request only be used for moderated sessions or will it apply any time there is a web based file transfer?
If it won't apply every time, how will you detect whether or not you need to use it?
There was a problem hiding this comment.
Only for moderated sessions. If it isn't a moderated session, no extra parameters are needed to be sent and will just pass the request without them added. I speak about it here but I see its a bit unclear now. Will update.
The web console will determine if we need to start this new process, and the api handler knowing when to add the environment variables based on the existence of the optional parameters sent. Sort of similar to how we issue certs when a webauthn response is included, we would be able to set the environment variables needed for OpenExecSession.
Also, OpenExecSession knows if the soon-to-be-opened session is moderated or not, so we can have a check "if moderated, see if they've sent through a commandRequestID".
| Not much will change here. The only difference is adding the `requestID` and `sessionID` as env vars in the `serverContext`. This will allow us to extend our `SessionRegistry.OpenExecSession` method with a new check like `isApprovedRequest` | ||
|
|
||
| ```go | ||
| func (s *SessionRegistry) isApprovedRequest(ctx context.Context, scx *ServerContext) (bool error) { |
There was a problem hiding this comment.
request is a vague term and makes me think of access requests here. Maybe isApprovedFileTransfer or something along those lines would be a better name.
There was a problem hiding this comment.
isApprovedFileTransfer will work great. If we want, we can even abstract it early (and in other places in the code) to isApprovedCommand? its only being implemented with file transfers right now, this process of requesting an command, approving a command, and running that command seems like it can be related to anything we want in the future. Thoughts?
There was a problem hiding this comment.
Let's go with the name that is most clear now. We can always change the name if we expand the scope of the feature in the future, but for now I don't want the code to read as if we support approving a specific command.
| } | ||
| ``` | ||
|
|
||
| ### UX/UI |
There was a problem hiding this comment.
I think it's worth discussing the UX for tsh-based file transfers. Will it work? Will it fail with a confusing error? Can we detect it and prompt the user to initiate the transfer via the web UI?
Part of #23546 This will add a fileTransferRequest to a session and allow environment variables to be passed from the webUI in order to validate a request that happens "outside" the moderated session (via HTTP request).
|
Hey @xacrimon and @capnspacehook - I think all of your comments have been addressed so far. There's still a few corner cases we're experimenting with, so we'll probably keep this open until we decide on a a path forward, but I wanted to confirm with you two if there's anything else you'd like to see addressed before we start pushing more PRs. |
|
LGTM as long as the flow with |
To be honest, we might not ever support @avatus it would be worth considering whether we can allow moderators to approve file transfers if they joined via |
|
Hey, everything to me looks fine so far and I'd be happy to see it move forward. Feel free to hit |
Part of #23546 This will add a fileTransferRequest to a session and allow environment variables to be passed from the webUI in order to validate a request that happens "outside" the moderated session (via HTTP request).
Part of #23546 This will add a fileTransferRequest to a session and allow environment variables to be passed from the webUI in order to validate a request that happens "outside" the moderated session (via HTTP request).
|
In the future, please try to follow the branch naming conventions for RFDs: Lines 68 to 70 in 785fa04 |
avatus
requested review from
capnspacehook and
zmb3
and removed request for
klizhentas
|
Updated to |
|
Friendly ping @zmb3 @capnspacehook @xacrimon |
avatus
force-pushed
the
michaelmyers/rfd-moderated-file-transfers
branch
from
d178468 to
87269c7
Compare
5 participants
Rendered view here
Issue #16008