Add initial command to session trackers (#32947) (#33113)

When user starts a session, we do not report the initial command used which causes visibility problems to moderators when they need to figure out if they join or not the session. This PR exposes the intial command for SSH and Kubernetes so moderators can decide if they want to join the session or not based on the initial command. Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
gravitational · Oct 9, 2023 · afbe4c5 · afbe4c5
1 parent 3ac9f08
commit afbe4c5
Show file tree

Hide file tree

Showing 14 changed files with 1,649 additions and 1,470 deletions.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -5011,6 +5011,9 @@ message SessionTrackerSpecV1 {
 
   // TargetSubKind is the sub kind of the target server.
   string TargetSubKind = 22 [(gogoproto.jsontag) = "target_sub_kind,omitempty"];
+
+  // InitialCommand is the command that was executed to start this session.
+  repeated string InitialCommand = 23 [(gogoproto.jsontag) = "initial_command,omitempty"];
 }
 
 // SessionTrackerPolicySet is a set of RBAC policies held by the session tracker

diff --git a/api/types/session_tracker.go b/api/types/session_tracker.go
@@ -122,6 +122,9 @@ type SessionTracker interface {
 
 	// GetTargetSubKind returns the sub kind of the target server.
 	GetTargetSubKind() string
+
+	// GetCommand returns the command that initiated the session.
+	GetCommand() []string
 }
 
 func NewSessionTracker(spec SessionTrackerSpecV1) (SessionTracker, error) {
@@ -336,6 +339,11 @@ func (s *SessionTrackerV1) GetTargetSubKind() string {
 	return s.Spec.TargetSubKind
 }
 
+// GetCommand returns command that intiated the session.
+func (s *SessionTrackerV1) GetCommand() []string {
+	return s.Spec.InitialCommand
+}
+
 // Match checks if a given session tracker matches this filter.
 func (f *SessionTrackerFilter) Match(s SessionTracker) bool {
 	if f.Kind != "" && string(s.GetSessionKind()) != f.Kind {

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/lib/kube/proxy/sess.go b/lib/kube/proxy/sess.go
@@ -1195,6 +1195,7 @@ func (s *session) trackSession(p *party, policySet []*types.SessionTrackerPolicy
 		Created:           time.Now(),
 		Reason:            s.reason,
 		Invited:           s.invitedUsers,
+		InitialCommand:    s.req.URL.Query()["command"],
 	}
 
 	s.log.Debug("Creating session tracker")

diff --git a/lib/session/session.go b/lib/session/session.go
@@ -107,6 +107,8 @@ type Session struct {
 	Owner string `json:"owner"`
 	// Moderated is true if the session requires moderation (only relevant for Kind = ssh/k8s).
 	Moderated bool `json:"moderated"`
+	// Command is the command that was executed to start the session.
+	Command string `json:"command"`
 }
 
 // FileTransferRequestParams contain parameters for requesting a file transfer

diff --git a/lib/srv/sess.go b/lib/srv/sess.go
@@ -2055,19 +2055,24 @@ func (p *party) closeUnderSessionLock() {
 // While ctx is open, the session tracker's expiration will be extended
 // on an interval until the session tracker is closed.
 func (s *session) trackSession(ctx context.Context, teleportUser string, policySet []*types.SessionTrackerPolicySet) error {
+	var initialCommand []string
+	if execRequest, err := s.scx.GetExecRequest(); err == nil {
+		initialCommand = []string{execRequest.GetCommand()}
+	}
 	trackerSpec := types.SessionTrackerSpecV1{
-		SessionID:     s.id.String(),
-		Kind:          string(types.SSHSessionKind),
-		State:         types.SessionState_SessionStatePending,
-		Hostname:      s.serverMeta.ServerHostname,
-		Address:       s.serverMeta.ServerID,
-		ClusterName:   s.scx.ClusterName,
-		Login:         s.login,
-		HostUser:      teleportUser,
-		Reason:        s.scx.env[teleport.EnvSSHSessionReason],
-		HostPolicies:  policySet,
-		Created:       s.registry.clock.Now().UTC(),
-		TargetSubKind: s.serverMeta.ServerSubKind,
+		SessionID:      s.id.String(),
+		Kind:           string(types.SSHSessionKind),
+		State:          types.SessionState_SessionStatePending,
+		Hostname:       s.serverMeta.ServerHostname,
+		Address:        s.serverMeta.ServerID,
+		ClusterName:    s.scx.ClusterName,
+		Login:          s.login,
+		HostUser:       teleportUser,
+		Reason:         s.scx.env[teleport.EnvSSHSessionReason],
+		HostPolicies:   policySet,
+		Created:        s.registry.clock.Now().UTC(),
+		TargetSubKind:  s.serverMeta.ServerSubKind,
+		InitialCommand: initialCommand,
 	}
 
 	if s.scx.env[teleport.EnvSSHSessionInvited] != "" {

diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
@@ -365,7 +365,6 @@ func NewHandler(cfg Config, opts ...HandlerOption) (*APIHandler, error) {
 		if err != nil {
 			h.log.WithError(err).Warnf("Invalid SSH proxy address %q, will use default port %v.",
 				cfg.ProxySSHAddr.String(), defaults.SSHProxyListenPort)
-
 		} else {
 			sshPortValue = sshPort
 		}
@@ -3011,6 +3010,7 @@ func trackerToLegacySession(tracker types.SessionTracker, clusterName string) se
 		Moderated:             accessEvaluator.IsModerated(),
 		DatabaseName:          tracker.GetDatabaseName(),
 		Owner:                 tracker.GetHostUser(),
+		Command:               strings.Join(tracker.GetCommand(), " "),
 	}
 }
 
@@ -3695,7 +3695,6 @@ func consumeTokenForAPICall(ctx context.Context, proxyClient auth.ClientI, token
 	}
 
 	return token, nil
-
 }
 
 // checkTokenTTL returns true if the token is still valid.

diff --git a/tool/tsh/kube.go b/tool/tsh/kube.go
@@ -571,9 +571,18 @@ func serializeKubeSessions(sessions []types.SessionTracker, format string) (stri
 }
 
 func printSessions(output io.Writer, sessions []types.SessionTracker) {
-	table := asciitable.MakeTable([]string{"ID", "State", "Created", "Hostname", "Address", "Login", "Reason"})
+	table := asciitable.MakeTable([]string{"ID", "State", "Created", "Hostname", "Address", "Login", "Reason", "Command"})
 	for _, s := range sessions {
-		table.AddRow([]string{s.GetSessionID(), s.GetState().String(), s.GetCreated().Format(time.RFC3339), s.GetHostname(), s.GetAddress(), s.GetLogin(), s.GetReason()})
+		table.AddRow([]string{
+			s.GetSessionID(),
+			s.GetState().String(),
+			s.GetCreated().Format(time.RFC3339),
+			s.GetHostname(),
+			s.GetAddress(),
+			s.GetLogin(),
+			s.GetReason(),
+			strings.Join(s.GetCommand(), " "),
+		})
 	}
 
 	tableOutput := table.AsBuffer().String()

diff --git a/web/packages/teleport/src/Console/DocumentSsh/DocumentSsh.story.tsx b/web/packages/teleport/src/Console/DocumentSsh/DocumentSsh.story.tsx
@@ -100,4 +100,6 @@ const session: Session = {
   addr: '1.1.1.1:1111',
   participantModes: ['observer', 'moderator', 'peer'],
   moderated: false,
+  command:
+    'top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid',
 };
diff --git a/web/packages/teleport/src/Sessions/SessionList/SessionList.tsx b/web/packages/teleport/src/Sessions/SessionList/SessionList.tsx
@@ -55,6 +55,10 @@ export default function SessionList(props: Props) {
           headerText: 'Users',
           render: renderUsersCell,
         },
+        {
+          key: 'command',
+          headerText: 'Command',
+        },
         {
           key: 'durationText',
           altSortKey: 'created',

diff --git a/web/packages/teleport/src/Sessions/__snapshots__/Sessions.story.test.tsx.snap b/web/packages/teleport/src/Sessions/__snapshots__/Sessions.story.test.tsx.snap
@@ -631,6 +631,11 @@ exports[`active sessions CTA 1`] = `
           >
             Users
           </th>
+          <th
+            style="cursor: default;"
+          >
+            Command
+          </th>
           <th>
             <a>
               Duration
@@ -662,6 +667,9 @@ exports[`active sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            kubectl get pods
+          </td>
           <td>
             59 minutes
           </td>
@@ -686,6 +694,9 @@ exports[`active sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            ls -la
+          </td>
           <td>
             5 seconds
           </td>
@@ -727,6 +738,9 @@ exports[`active sessions CTA 1`] = `
           <td>
             lisa3
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -768,6 +782,9 @@ exports[`active sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -809,6 +826,9 @@ exports[`active sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -833,6 +853,9 @@ exports[`active sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             3 minutes
           </td>
@@ -857,6 +880,9 @@ exports[`active sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             13 minutes
           </td>
@@ -1415,6 +1441,11 @@ exports[`loaded 1`] = `
           >
             Users
           </th>
+          <th
+            style="cursor: default;"
+          >
+            Command
+          </th>
           <th>
             <a>
               Duration
@@ -1446,6 +1477,9 @@ exports[`loaded 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            kubectl get pods
+          </td>
           <td>
             59 minutes
           </td>
@@ -1470,6 +1504,9 @@ exports[`loaded 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            ls -la
+          </td>
           <td>
             5 seconds
           </td>
@@ -1511,6 +1548,9 @@ exports[`loaded 1`] = `
           <td>
             lisa3
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -1552,6 +1592,9 @@ exports[`loaded 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -1593,6 +1636,9 @@ exports[`loaded 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -1617,6 +1663,9 @@ exports[`loaded 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             3 minutes
           </td>
@@ -1641,6 +1690,9 @@ exports[`loaded 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             13 minutes
           </td>
@@ -2199,6 +2251,11 @@ exports[`moderated sessions CTA 1`] = `
           >
             Users
           </th>
+          <th
+            style="cursor: default;"
+          >
+            Command
+          </th>
           <th>
             <a>
               Duration
@@ -2230,6 +2287,9 @@ exports[`moderated sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            kubectl get pods
+          </td>
           <td>
             59 minutes
           </td>
@@ -2254,6 +2314,9 @@ exports[`moderated sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            ls -la
+          </td>
           <td>
             5 seconds
           </td>
@@ -2295,6 +2358,9 @@ exports[`moderated sessions CTA 1`] = `
           <td>
             lisa3
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -2336,6 +2402,9 @@ exports[`moderated sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -2377,6 +2446,9 @@ exports[`moderated sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             5 seconds
           </td>
@@ -2401,6 +2473,9 @@ exports[`moderated sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             3 minutes
           </td>
@@ -2425,6 +2500,9 @@ exports[`moderated sessions CTA 1`] = `
           <td>
             lisa2
           </td>
+          <td>
+            top -o command -o cpu -o boosts -o cycles -o cow -o user -o vsize -o csw -o threads -o ports -o ppid
+          </td>
           <td>
             13 minutes
           </td>