gravitational · gzdunek · Jan 11, 2024 · Jan 8, 2024 · Jan 8, 2024 · Jan 8, 2024
diff --git a/api/types/constants.go b/api/types/constants.go
@@ -1174,3 +1174,10 @@ const (
 	// installer script when agentless mode is enabled for a matcher
 	DefaultInstallerScriptNameAgentless = "default-agentless-installer"
 )
+
+const (
+	// ApplicationProtocolHTTP is the HTTP (Web) apps protocol
+	ApplicationProtocolHTTP = "HTTP"
+	// ApplicationProtocolTCP is the TCP apps protocol.
+	ApplicationProtocolTCP = "TCP"
+)
diff --git a/lib/teleterm/api/uri/parse.go b/lib/teleterm/api/uri/parse.go
@@ -58,8 +58,8 @@ func validateProfileName(r ResourceURI) error {
 }
 
 func validateGatewayTargetResource(r ResourceURI) error {
-	if r.GetDbName() == "" && r.GetKubeName() == "" {
-		return trace.BadParameter("malformed gateway target URI %q, expecting a database or kube resource", r)
+	if r.GetDbName() == "" && r.GetKubeName() == "" && r.GetAppName() == "" {
+		return trace.BadParameter("malformed gateway target URI %q, expecting a database, kube or app resource", r)
 	}
 	return nil
 }

diff --git a/lib/teleterm/clusters/cluster_apps.go b/lib/teleterm/clusters/cluster_apps.go
@@ -17,7 +17,16 @@
 package clusters
 
 import (
+	"context"
+	"crypto/tls"
+	"fmt"
+
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/client"
+	libclient "github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/teleterm/api/uri"
 )
 
@@ -36,3 +45,91 @@ type SAMLIdPServiceProvider struct {
 
 	Provider types.SAMLIdPServiceProvider
 }
+
+func (c *Cluster) getApp(ctx context.Context, appName string) (types.Application, error) {
+	var app types.Application
+	err := AddMetadataToRetryableError(ctx, func() error {
+		apps, err := c.clusterClient.ListApps(ctx, &proto.ListResourcesRequest{
+			Namespace:           c.clusterClient.Namespace,
+			ResourceType:        types.KindAppServer,
+			PredicateExpression: fmt.Sprintf(`name == "%s"`, appName),
+		})
+		if err != nil {
+			return trace.Wrap(err)
+		}
+
+		if len(apps) == 0 {
+			return trace.NotFound("app %q not found", appName)
+		}
+
+		app = apps[0]
+		return nil
+	})
+
+	return app, trace.Wrap(err)
+}
+
+// reissueAppCert issue new certificates for the app and saves them to disk.
+func (c *Cluster) reissueAppCert(ctx context.Context, app types.Application) (tls.Certificate, error) {
+	if app.IsAWSConsole() || app.IsGCP() || app.IsAzureCloud() {
+		return tls.Certificate{}, trace.BadParameter("cloud applications are not supported")
+	}
+	// Refresh the certs to account for clusterClient.SiteName pointing at a leaf cluster.
+	err := c.clusterClient.ReissueUserCerts(ctx, client.CertCacheKeep, client.ReissueParams{
+		RouteToCluster: c.clusterClient.SiteName,
+		AccessRequests: c.status.ActiveRequests.AccessRequests,
+	})
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+
+	proxyClient, err := c.clusterClient.ConnectToProxy(ctx)
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+	defer proxyClient.Close()
+
+	request := types.CreateAppSessionRequest{
+		Username:          c.status.Username,
+		PublicAddr:        app.GetPublicAddr(),
+		ClusterName:       c.clusterClient.SiteName,
+		AWSRoleARN:        "",
+		AzureIdentity:     "",
+		GCPServiceAccount: "",
+	}
+
+	ws, err := proxyClient.CreateAppSession(ctx, request)
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+
+	err = proxyClient.ReissueUserCerts(ctx, client.CertCacheKeep, client.ReissueParams{
+		RouteToCluster: c.clusterClient.SiteName,
+		RouteToApp: proto.RouteToApp{
+			Name:              app.GetName(),
+			SessionID:         ws.GetName(),
+			PublicAddr:        app.GetPublicAddr(),
+			ClusterName:       c.clusterClient.SiteName,
+			AWSRoleARN:        "",
+			AzureIdentity:     "",
+			GCPServiceAccount: "",
+		},
+		AccessRequests: c.status.ActiveRequests.AccessRequests,
+	})
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+
+	key, err := c.clusterClient.LocalAgent().GetKey(c.clusterClient.SiteName, libclient.WithAppCerts{})
+	if err != nil {
+		return tls.Certificate{}, trace.Wrap(err)
+	}
+
+	cert, ok := key.AppTLSCerts[app.GetName()]
+	if !ok {
+		return tls.Certificate{}, trace.NotFound("the user is not logged in into the application %v", app.GetName())
+	}
+
+	tlsCert, err := key.TLSCertificate(cert)
+	return tlsCert, trace.Wrap(err)
 func loadAppCertificate(tc *libclient.TeleportClient, appName string) (certificate tls.Certificate, needLogin bool, err error) { 
 func loadAppCertificate(tc *libclient.TeleportClient, appName string) (certificate tls.Certificate, needLogin bool, err error) { 
+}
diff --git a/lib/teleterm/clusters/cluster_gateways.go b/lib/teleterm/clusters/cluster_gateways.go
@@ -60,6 +60,10 @@ func (c *Cluster) CreateGateway(ctx context.Context, params CreateGatewayParams)
 		gateway, err := c.createKubeGateway(ctx, params)
 		return gateway, trace.Wrap(err)
 
+	case params.TargetURI.IsApp():
+		gateway, err := c.createAppGateway(ctx, params)
+		return gateway, trace.Wrap(err)
+
 	default:
 		return nil, trace.NotImplemented("gateway not supported for %v", params.TargetURI)
 	}
@@ -148,6 +152,43 @@ func (c *Cluster) createKubeGateway(ctx context.Context, params CreateGatewayPar
 	return gw, trace.Wrap(err)
 }
 
+func (c *Cluster) createAppGateway(ctx context.Context, params CreateGatewayParams) (gateway.Gateway, error) {
+	appName := params.TargetURI.GetAppName()
+
+	app, err := c.getApp(ctx, appName)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	var cert tls.Certificate
+
+	if err := AddMetadataToRetryableError(ctx, func() error {
+		cert, err = c.reissueAppCert(ctx, app)
+		return trace.Wrap(err)
+	}); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	gw, err := gateway.New(gateway.Config{
+		LocalPort:                     params.LocalPort,
+		TargetURI:                     params.TargetURI,
+		TargetName:                    appName,
+		Cert:                          cert,
+		Protocol:                      app.GetProtocol(),
+		Insecure:                      c.clusterClient.InsecureSkipVerify,
+		WebProxyAddr:                  c.clusterClient.WebProxyAddr,
+		Log:                           c.Log,
+		TCPPortAllocator:              params.TCPPortAllocator,
+		OnExpiredCert:                 params.OnExpiredCert,
+		Clock:                         c.clock,
+		TLSRoutingConnUpgradeRequired: c.clusterClient.TLSRoutingConnUpgradeRequired,
+		RootClusterCACertPoolFunc:     c.clusterClient.RootClusterCACertPool,
+		ClusterName:                   c.Name,
+		Username:                      c.status.Username,
+	})
+	return gw, trace.Wrap(err)
+}
+
 // ReissueGatewayCerts reissues certificate for the provided gateway.
 //
 // At the moment, kube gateways reload their certs in memory while db gateways use the old approach
@@ -177,6 +218,16 @@ func (c *Cluster) ReissueGatewayCerts(ctx context.Context, g gateway.Gateway) (t
 	case g.TargetURI().IsKube():
 		cert, err := c.reissueKubeCert(ctx, g.TargetName())
 		return cert, trace.Wrap(err)
+	case g.TargetURI().IsApp():
+		appName := g.TargetURI().GetAppName()
+
+		app, err := c.getApp(ctx, appName)
+		if err != nil {
+			return tls.Certificate{}, trace.Wrap(err)
+		}
+
+		cert, err := c.reissueAppCert(ctx, app)
+		return cert, trace.Wrap(err)
 	default:
 		return tls.Certificate{}, trace.NotImplemented("ReissueGatewayCerts does not support this gateway kind %v", g.TargetURI().String())
 	}

diff --git a/lib/teleterm/cmd/app.go b/lib/teleterm/cmd/app.go
@@ -0,0 +1,43 @@
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package cmd
+
+import (
+	"os/exec"
+
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/teleterm/gateway"
+)
+
+// NewAppCLICommand creates CLI commands for app gateways.
+func NewAppCLICommand(g gateway.Gateway) (*exec.Cmd, error) {
+	app, err := gateway.AsApp(g)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	if g.Protocol() == types.ApplicationProtocolTCP {
+		return exec.Command(""), nil
+	}
+
+	cmd := exec.Command("curl", app.LocalProxyURL())
+	return cmd, nil
+}
diff --git a/lib/teleterm/cmd/app_test.go b/lib/teleterm/cmd/app_test.go
@@ -0,0 +1,81 @@
+/*
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package cmd
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/teleterm/gateway"
+)
+
+type fakeAppGateway struct {
+	gateway.App
+	protocol     string
+	generatedUrl string
+}
+
+func (m fakeAppGateway) Protocol() string      { return m.protocol }
+func (m fakeAppGateway) LocalProxyURL() string { return m.generatedUrl }
+
+func TestNewAppCLICommand(t *testing.T) {
+	testCases := []struct {
+		name         string
+		protocol     string
+		generatedUrl string
+		output       string
+	}{
+		{
+			name:         "TCP app",
+			protocol:     types.ApplicationProtocolTCP,
+			generatedUrl: "tcp://localhost:8888",
+			output:       "",
+		},
+		{
+			name:         "HTTP app",
+			protocol:     types.ApplicationProtocolHTTP,
+			generatedUrl: "http://localhost:8888",
+			output:       "curl http://localhost:8888",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+
+			mockGateway := fakeAppGateway{
+				protocol:     tc.protocol,
+				generatedUrl: tc.generatedUrl,
+			}
+
+			command, err := NewAppCLICommand(mockGateway)
+
+			require.NoError(t, err)
+			cmdString := strings.TrimSpace(
+				fmt.Sprintf("%s %s",
+					strings.Join(command.Env, " "),
+					strings.Join(command.Args, " ")))
+
+			require.Equal(t, cmdString, tc.output)
+		})
+	}
+}
diff --git a/lib/teleterm/daemon/daemon.go b/lib/teleterm/daemon/daemon.go
@@ -447,6 +447,10 @@ func (s *Service) GetGatewayCLICommand(gateway gateway.Gateway) (*exec.Cmd, erro
 		cmd, err := cmd.NewKubeCLICommand(gateway)
 		return cmd, trace.Wrap(err)
 
+	case targetURI.IsApp():
+		cmd, err := cmd.NewAppCLICommand(gateway)
+		return cmd, trace.Wrap(err)
+
 	default:
 		return nil, trace.NotImplemented("gateway not supported for %v", targetURI)
 	}