Skip to content

Ensure Device Trust Requirements Apply to Correct Applications #63467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
21KennethTran wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Ensure Device Trust Requirements Apply to Correct Applications #63467

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
313d043
testing
21KennethTran Feb 3, 2026
3ce7819
Used appname to use CheckAccess
21KennethTran Feb 3, 2026
867876d
Added tests
21KennethTran Feb 4, 2026
93174ad
Removed CheckDeviceAccess and use CheckAccess
21KennethTran Feb 5, 2026
b6542f7
Added benchmark tests
21KennethTran Feb 6, 2026
4a63b21
Move audit emission to app service
21KennethTran Feb 13, 2026
6e0f92b
Emit audit event on new connection
21KennethTran Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 0 additions & 94 deletions lib/auth/sessions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,15 +34,13 @@ import (
devicepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1"
mfav1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/mfa/v1"
"github.com/gravitational/teleport/api/types"
apievents "github.com/gravitational/teleport/api/types/events"
"github.com/gravitational/teleport/api/utils/keys"
"github.com/gravitational/teleport/api/utils/keys/hardwarekey"
"github.com/gravitational/teleport/entitlements"
"github.com/gravitational/teleport/lib/auth/appauthconfig/appauthconfigv1"
"github.com/gravitational/teleport/lib/cryptosuites"
"github.com/gravitational/teleport/lib/defaults"
dtauthz "github.com/gravitational/teleport/lib/devicetrust/authz"
"github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/jwt"
"github.com/gravitational/teleport/lib/modules"
"github.com/gravitational/teleport/lib/services"
Expand Down Expand Up @@ -557,72 +555,6 @@ func (a *Server) CreateAppSessionFromReq(ctx context.Context, req NewAppSessionR
return nil, trace.Wrap(err)
}

// Audit fields used for both success and failure
sessionStartEvent := &apievents.AppSessionStart{
Metadata: apievents.Metadata{
Type: events.AppSessionStartEvent,
ClusterName: req.ClusterName,
},
ServerMetadata: apievents.ServerMetadata{
ServerVersion: teleport.Version,
ServerID: a.ServerID,
ServerNamespace: apidefaults.Namespace,
},
ConnectionMetadata: apievents.ConnectionMetadata{
RemoteAddr: req.ClientAddr,
},
AppMetadata: apievents.AppMetadata{
AppURI: req.AppURI,
AppPublicAddr: req.PublicAddr,
AppName: req.AppName,
AppTargetPort: uint32(req.AppTargetPort),
},
}

// Enforce device trust early via the AccessChecker.
if err = checker.CheckDeviceAccess(services.AccessState{
DeviceVerified: dtauthz.IsTLSDeviceVerified((*tlsca.DeviceExtensions)(&req.DeviceExtensions)),
EnableDeviceVerification: true,
IsBot: req.BotName != "",
}); err != nil {
userKind := apievents.UserKind_USER_KIND_HUMAN
if req.BotName != "" {
userKind = apievents.UserKind_USER_KIND_BOT
}

userMetadata := apievents.UserMetadata{
User: req.User,
BotName: req.BotName,
BotInstanceID: req.BotInstanceID,
UserKind: userKind,
UserRoles: req.Roles,
UserClusterName: req.ClusterName,
UserTraits: req.Traits,
AWSRoleARN: req.AWSRoleARN,
}

if req.DeviceExtensions.DeviceID != "" {
userMetadata.TrustedDevice = &apievents.DeviceMetadata{
DeviceId: req.DeviceExtensions.DeviceID,
AssetTag: req.DeviceExtensions.AssetTag,
CredentialId: req.DeviceExtensions.CredentialID,
}
}
errMsg := "requires a trusted device"

sessionStartEvent.Metadata.SetCode(events.AppSessionStartFailureCode)
sessionStartEvent.UserMetadata = userMetadata
sessionStartEvent.SessionMetadata = apievents.SessionMetadata{
WithMFA: req.MFAVerified,
}
sessionStartEvent.Error = err.Error()
sessionStartEvent.UserMessage = errMsg

a.emitter.EmitAuditEvent(a.closeCtx, sessionStartEvent)
// err swallowed/obscured on purpose.
return nil, trace.AccessDenied("%s", errMsg)
}

sessionID := req.SuggestedSessionID
if sessionID == "" {
// Create services.WebSession for this session.
Expand Down Expand Up @@ -721,32 +653,6 @@ func (a *Server) CreateAppSessionFromReq(ctx context.Context, req NewAppSessionR
return session, nil
}

// Extract the identity of the user from the certificate, this will include metadata from any actively assumed access requests.
certificate, err := tlsca.ParseCertificatePEM(session.GetTLSCert())
if err != nil {
return nil, trace.Wrap(err)
}
identity, err := tlsca.FromSubject(certificate.Subject, certificate.NotAfter)
if err != nil {
return nil, trace.Wrap(err)
}

userMetadata := identity.GetUserMetadata()
userMetadata.User = session.GetUser()
userMetadata.AWSRoleARN = req.AWSRoleARN

sessionStartEvent.Metadata.SetCode(events.AppSessionStartCode)
sessionStartEvent.UserMetadata = userMetadata
sessionStartEvent.SessionMetadata = apievents.SessionMetadata{
SessionID: session.GetName(),
WithMFA: req.MFAVerified,
PrivateKeyPolicy: string(identity.PrivateKeyPolicy),
}

if err := a.emitter.EmitAuditEvent(a.closeCtx, sessionStartEvent); err != nil {
a.logger.WarnContext(ctx, "Failed to emit app session start event", "error", err)
}

return session, nil
}

Expand Down
Loading
Loading