From bebc779e6603c23c5f68f5eefb3da2ed82cc1019 Mon Sep 17 00:00:00 2001 From: Tim Ross Date: Fri, 12 Jan 2024 10:27:25 -0500 Subject: [PATCH] Prevent ConnectionMonitor leaks The context used to create the connection monitor for app sessions was never canceled which left the connection monitor running until the certificate expired, the user was locked, or the idle timeout was enforced. By using the correct context and canceling appropriately the monitor is terminated as soon as the app session has concluded. --- lib/srv/app/server.go | 11 +++++++---- lib/srv/monitor.go | 1 - 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/srv/app/server.go b/lib/srv/app/server.go index 73938a7468a91..d03bcf49543ea 100644 --- a/lib/srv/app/server.go +++ b/lib/srv/app/server.go @@ -722,7 +722,7 @@ func (s *Server) handleConnection(conn net.Conn) (func(), error) { return nil, trace.Wrap(err) } - ctx = authz.ContextWithUser(s.closeContext, user) + ctx = authz.ContextWithUser(ctx, user) ctx = authz.ContextWithClientSrcAddr(ctx, conn.RemoteAddr()) authCtx, _, err := s.authorizeContext(ctx) @@ -750,12 +750,15 @@ func (s *Server) handleConnection(conn net.Conn) (func(), error) { // differently than HTTP requests from web apps. if app.IsTCP() { identity := authCtx.Identity.GetIdentity() - return nil, s.handleTCPApp(ctx, tlsConn, &identity, app) + defer cancel(nil) + return nil, trace.Wrap(s.handleTCPApp(ctx, tlsConn, &identity, app)) } - return func() { + cleanup := func() { + cancel(nil) s.deleteConnAuth(tlsConn) - }, s.handleHTTPApp(ctx, tlsConn) + } + return cleanup, trace.Wrap(s.handleHTTPApp(ctx, tlsConn)) } // handleTCPApp handles connection for a TCP application. diff --git a/lib/srv/monitor.go b/lib/srv/monitor.go index b73c95c7411c2..6867f52b3e245 100644 --- a/lib/srv/monitor.go +++ b/lib/srv/monitor.go @@ -407,7 +407,6 @@ func (w *Monitor) start(lockWatch types.Watcher) { lockWatchDoneC = nil case <-w.Context.Done(): - w.Entry.Debugf("Releasing associated resources - context has been closed.") return } }