gravitational · avatus · May 3, 2023 · Apr 13, 2023 · Apr 13, 2023 · Apr 16, 2023
diff --git a/api/observability/tracing/ssh/session.go b/api/observability/tracing/ssh/session.go
@@ -26,6 +26,7 @@ import (
 	oteltrace "go.opentelemetry.io/otel/trace"
 	"golang.org/x/crypto/ssh"
 
+	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/observability/tracing"
 )
 
@@ -342,3 +343,32 @@ func (s *Session) CombinedOutput(ctx context.Context, cmd string) ([]byte, error
 	output, err := s.Session.CombinedOutput(cmd)
 	return output, trace.Wrap(err)
 }
+
+// sendFileTransferDecision will send a "file-transfer-decision@goteleport.com" ssh request
+func (s *Session) sendFileTransferDecision(ctx context.Context, requestID string, approved bool) error {
+	req := &FileTransferDecisionReq{
+		RequestID: requestID,
+		Approved:  approved,
+	}
+	_, err := s.SendRequest(ctx, constants.FileTransferDecision, true, ssh.Marshal(req))
+	return trace.Wrap(err)
+}
+
+// ApproveFileTransferRequest sends a "file-transfer-decision@goteleport.com" ssh request
+// The ssh request will have the request ID and Approved: true
+func (s *Session) ApproveFileTransferRequest(ctx context.Context, requestID string) error {
+	return trace.Wrap(s.sendFileTransferDecision(ctx, requestID, true))
+}
+
+// DenyFileTransferRequest sends a "file-transfer-decision@goteleport.com" ssh request
+// The ssh request will have the request ID and Approved: false
+func (s *Session) DenyFileTransferRequest(ctx context.Context, requestID string) error {
+	return trace.Wrap(s.sendFileTransferDecision(ctx, requestID, false))
+}
+
+// RequestFileTransfer sends a "file-transfer-request@goteleport.com" ssh request that will create a new file transfer request
+// and notify the parties in an ssh session
+func (s *Session) RequestFileTransfer(ctx context.Context, req FileTransferReq) error {
+	_, err := s.SendRequest(ctx, constants.InitiateFileTransfer, true, ssh.Marshal(req))
+	return trace.Wrap(err)
+}
diff --git a/lib/defaults/defaults.go b/lib/defaults/defaults.go
@@ -671,6 +671,13 @@ const (
 	// WebsocketResize is receiving a resize request.
 	WebsocketResize = "w"
 
+	// WebsocketFileTransferRequest is received when a new file transfer has been requested
+	WebsocketFileTransferRequest = "f"
+
+	// WebsocketFileTransferDecision is received when a response (approve/deny) has been
+	// made for an existing file transfer request
+	WebsocketFileTransferDecision = "t"
+
 	// WebsocketWebauthnChallenge is sending a webauthn challenge.
 	WebsocketWebauthnChallenge = "n"
 

diff --git a/lib/srv/sess.go b/lib/srv/sess.go
@@ -350,6 +350,11 @@ func (s *SessionRegistry) isApprovedFileTransfer(scx *ServerContext) (bool, erro
 	s.sessionsMux.Lock()
 	defer s.sessionsMux.Unlock()
 
+	// get the requested location from env vars
+	location, _ := scx.GetEnv(sftp.FileTransferDstPath)
+	if location == "" {
+		return false, nil
+	}
 	// if a sessID and requestID environment variables were not set, return not approved and no error.
 	// This means the file transfer came from a non-moderated session. sessionID will be passed after a
 	// moderated session approval process has completed.
@@ -375,6 +380,10 @@ func (s *SessionRegistry) isApprovedFileTransfer(scx *ServerContext) (bool, erro
 		return false, trace.NotFound("File transfer request not found")
 	}
 
+	if req.location != location {
+		return false, trace.AccessDenied("requested destination path does not match the current request")
+	}
+
 	if req.requester != scx.Identity.TeleportUser {
 		return false, trace.AccessDenied("Teleport user does not match original requester")
 	}
@@ -663,6 +672,7 @@ func newSession(ctx context.Context, id rsession.ID, r *SessionRegistry, scx *Se
 		id:                             id,
 		registry:                       r,
 		parties:                        make(map[rsession.ID]*party),
+		fileTransferRequests:           make(map[string]*fileTransferRequest),
 		participants:                   make(map[rsession.ID]*party),
 		login:                          scx.Identity.Login,
 		stopC:                          make(chan struct{}),

diff --git a/lib/srv/sess_test.go b/lib/srv/sess_test.go
@@ -141,6 +141,7 @@ func TestIsApprovedFileTransfer(t *testing.T) {
 		expectedError  string
 		req            *fileTransferRequest
 		reqID          string
+		location       string
 	}{
 
 		{
@@ -167,14 +168,28 @@ func TestIsApprovedFileTransfer(t *testing.T) {
 				approvers: make(map[string]*party),
 			},
 		},
+		{
+			name:           "current request location does not match original location",
+			expectedResult: false,
+			expectedError:  "requested destination path does not match the current request",
+			reqID:          "123",
+			location:       "~/Downloads",
+			req: &fileTransferRequest{
+				requester: "michael",
+				approvers: make(map[string]*party),
+				location:  "~/badlocation",
+			},
+		},
 		{
 			name:           "approved request",
 			expectedResult: true,
 			expectedError:  "",
 			reqID:          "123",
+			location:       "~/Downloads",
 			req: &fileTransferRequest{
 				requester: "teleportUser",
 				approvers: approvers,
+				location:  "~/Downloads",
 			},
 		},
 	}
@@ -193,6 +208,7 @@ func TestIsApprovedFileTransfer(t *testing.T) {
 			scx := newTestServerContext(t, reg.Srv, accessRoleSet)
 			scx.SetEnv(string(sftp.ModeratedSessionID), sess.ID())
 			scx.SetEnv(string(sftp.FileTransferRequestID), tt.reqID)
+			scx.SetEnv(sftp.FileTransferDstPath, tt.location)
 			result, err := reg.isApprovedFileTransfer(scx)
 			if err != nil {
 				require.Equal(t, tt.expectedError, err.Error())

diff --git a/lib/sshutils/sftp/http.go b/lib/sshutils/sftp/http.go
@@ -36,15 +36,18 @@ import (
 type contextKey string
 
 const (
+	// FileTransferDstPath is the dstPath (location) for the requested file transfer. This would be equal
+	// to the file to be downloaded, or location for a file to be uploaded.
+	FileTransferDstPath string = "TELEPORT_FILE_TRANSFER_DST_PATH"
 	// FileTransferRequestID is an optional parameter id of an file transfer request that has gone through
 	// an approval process during a moderated session to allow a file transfer scp command to be executed
 	// used as a value in the file transfer context and env var for exec session
-	FileTransferRequestID contextKey = "FILE_TRANSFER_REQUEST_ID"
+	FileTransferRequestID contextKey = "TELEPORT_FILE_TRANSFER_REQUEST_ID"
 
 	// ModeratedSessionID is an optional parameter sent during SCP requests to specify which moderated session
 	// to check for valid FileTransferRequests
 	// used as a value in the file transfer context and env var for exec session
-	ModeratedSessionID contextKey = "MODERATED_SESSION_ID"
+	ModeratedSessionID contextKey = "TELEPORT_MODERATED_SESSION_ID"
 )
 
 var errDirsNotSupported = trace.BadParameter("directories are not supported when transferring files over HTTP")

diff --git a/lib/sshutils/sftp/sftp.go b/lib/sshutils/sftp/sftp.go
@@ -245,6 +245,8 @@ func (c *Config) TransferFiles(ctx context.Context, sshClient *ssh.Client) error
 	if fileTransferRequestID, ok := ctx.Value(FileTransferRequestID).(string); ok {
 		s.Setenv(string(FileTransferRequestID), fileTransferRequestID)
 	}
+	// set dstPath in env var to check against file transfer request location
+	s.Setenv(FileTransferDstPath, c.dstPath)
 
 	pe, err := s.StderrPipe()
 	if err != nil {

diff --git a/lib/web/apiserver_test.go b/lib/web/apiserver_test.go
@@ -1129,6 +1129,129 @@ func TestResolveServerHostPort(t *testing.T) {
 	}
 }
 
+func isFileTransferRequest(e *Envelope) bool {
+	if e.GetType() != defaults.WebsocketAudit {
+		return false
+	}
+	var ef events.EventFields
+	if err := json.Unmarshal([]byte(e.GetPayload()), &ef); err != nil {
+		return false
+	}
+	return ef.GetType() == string(srv.FileTransferUpdate)
+}
+
+func isFileTransferDecision(e *Envelope) bool {
+	if e.GetType() != defaults.WebsocketAudit {
+		return false
+	}
+	var ef events.EventFields
+	if err := json.Unmarshal([]byte(e.GetPayload()), &ef); err != nil {
+		return false
+	}
+	return ef.GetType() == string(srv.FileTransferApproved)
+}
+
+func getRequestId(e *Envelope) (string, error) {
+	var ef events.EventFields
+	if err := json.Unmarshal([]byte(e.GetPayload()), &ef); err != nil {
+		return "", err
+	}
+	return ef.GetString("requestID"), nil
+}
+
+func TestFileTransferEvents(t *testing.T) {
+	t.Parallel()
+	s := newWebSuiteWithConfig(t, webSuiteConfig{disableDiskBasedRecording: true})
+
+	errs := make(chan error, 2)
+	readLoop := func(ctx context.Context, ws *websocket.Conn, ch chan<- *Envelope) {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+			}
+
+			typ, b, err := ws.ReadMessage()
+			if err != nil {
+				errs <- err
+				return
+			}
+			if typ != websocket.BinaryMessage {
+				errs <- trace.BadParameter("expected binary message, got %v", typ)
+				return
+			}
+			var envelope Envelope
+			if err := proto.Unmarshal(b, &envelope); err != nil {
+				errs <- trace.Wrap(err)
+				return
+			}
+			ch <- &envelope
+		}
+	}
+
+	// Create a new user "foo", open a terminal to a new session
+	pack := s.authPack(t, "foo")
+	ws, _, err := s.makeTerminal(t, pack)
+	require.NoError(t, err)
+	t.Cleanup(func() { require.NoError(t, ws.Close()) })
+
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(cancel)
+	wsMessages := make(chan *Envelope)
+	go readLoop(ctx, ws, wsMessages)
+
+	// Create file transfer event
+	data, err := json.Marshal(events.EventFields{
+		"download": true,
+		"location": "~/myfile.txt",
+	})
+
+	require.NoError(t, err)
+	envelope := &Envelope{
+		Version: defaults.WebsocketVersion,
+		Type:    defaults.WebsocketFileTransferRequest,
+		Payload: string(data),
+	}
+	envelopeBytes, err := proto.Marshal(envelope)
+	require.NoError(t, err)
+	err = ws.WriteMessage(websocket.BinaryMessage, envelopeBytes)
+	require.NoError(t, err)
+
+	done := time.After(5 * time.Second)
+	for {
+		select {
+		case <-done:
+			require.FailNow(t, "expected to receive a file transfer event")
+		case err := <-errs:
+			require.NoError(t, err)
+		case e := <-wsMessages:
+			if isFileTransferRequest(e) {
+				requestId, err := getRequestId(e)
+				require.NoError(t, err)
+				data, err := json.Marshal(events.EventFields{
+					"requestId": requestId,
+					"approved":  true,
+				})
+				require.NoError(t, err)
+				envelope := &Envelope{
+					Version: defaults.WebsocketVersion,
+					Type:    defaults.WebsocketFileTransferDecision,
+					Payload: string(data),
+				}
+				envelopeBytes, err := proto.Marshal(envelope)
+				require.NoError(t, err)
+				err = ws.WriteMessage(websocket.BinaryMessage, envelopeBytes)
+				require.NoError(t, err)
+			}
+
+			if isFileTransferDecision(e) {
+				return
+			}
+		}
+	}
+}
+
 func TestNewTerminalHandler(t *testing.T) {
 	ctx := context.Background()
 

diff --git a/lib/web/files.go b/lib/web/files.go
@@ -70,13 +70,13 @@ func (h *Handler) transferFile(w http.ResponseWriter, r *http.Request, p httprou
 		filename:              query.Get("filename"),
 		namespace:             defaults.Namespace,
 		webauthn:              query.Get("webauthn"),
-		fileTransferRequestID: query.Get("file_transfer_request_id"),
-		moderatedSessionID:    query.Get("moderated_session_id"),
+		fileTransferRequestID: query.Get("fileTransferRequestId"),
+		moderatedSessionID:    query.Get("moderatedSessionId"),
 	}
 
 	// Send an error if only one of these params has been sent. Both should exist or not exist together
 	if (req.fileTransferRequestID != "") != (req.moderatedSessionID != "") {
-		return nil, trace.BadParameter("file_transfer_request_id and moderated_session_id must both be included in the same request.")
+		return nil, trace.BadParameter("fileTransferRequestId and moderatedSessionId must both be included in the same request.")
 	}
 
 	clt, err := sctx.GetUserClient(r.Context(), site)