fix app access regression when the app is on a leaf cluster #47778
Conversation
There was a problem hiding this comment.
Logic seems fine to be. it'd be nice to change this from some nested if and just into two variables like
const fqdnMatch and const isLeafApp or whatever you think makes most sense. then we can just do if !this && !that, return error
might read a little nicer. but in general this is good!
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
|
Thanks @avatus, moved the logic into it's own function to put the logic and comments in one place. Did some more testing and found that this PR fixes an |
|
The This is why you see I believe we need to update our forwarding URL to use Here was my diff to get it working (copy and then Open Me!diff --git a/web/packages/teleport/src/AppLauncher/AppLauncher.tsx b/web/packages/teleport/src/AppLauncher/AppLauncher.tsx
index 58420124e0..1c61b70d71 100644
--- a/web/packages/teleport/src/AppLauncher/AppLauncher.tsx
+++ b/web/packages/teleport/src/AppLauncher/AppLauncher.tsx
@@ -122,7 +122,6 @@ export function AppLauncher() {
const stateToken = queryParams.get('state');
if (!stateToken) {
initiateNewAuthExchange({
- fqdn,
port,
path,
params,
@@ -138,7 +137,10 @@ export function AppLauncher() {
const session = await service.createAppSession(params);
// Set all the fields expected by server to validate request.
- const url = getXTeleportAuthUrl({ fqdn, port });
+ const url = getXTeleportAuthUrl({
+ publicAddr: resolvedApp.publicAddress,
+ port,
+ });
url.searchParams.set('state', stateToken);
url.searchParams.set('subject', session.subjectCookieValue);
if (requiredApps.length > 1) {
@@ -217,9 +219,15 @@ function prepareFqdn(fqdn: string) {
}
}
-function getXTeleportAuthUrl({ fqdn, port }: { fqdn: string; port: string }) {
+function getXTeleportAuthUrl({
+ port,
+ publicAddr,
+}: {
+ port: string;
+ publicAddr: string;
+}) {
try {
- return new URL(`https://${fqdn}${port}/x-teleport-auth`);
+ return new URL(`https://${publicAddr}${port}/x-teleport-auth`);
} catch (err) {
throwFailedToParseUrlError(err);
}
@@ -235,13 +243,11 @@ function getXTeleportAuthUrl({ fqdn, port }: { fqdn: string; port: string }) {
// bookmarked URL), in which the server will redirect the user
// to this launcher.
function initiateNewAuthExchange({
- fqdn,
port,
params,
path,
requiredApps,
}: {
- fqdn: string;
port: string;
// params will only be defined if the user clicked our "launch"
// app button from the web UI.
@@ -255,7 +261,7 @@ function initiateNewAuthExchange({
path: string;
requiredApps: string[];
}) {
- const url = getXTeleportAuthUrl({ fqdn, port });
+ const url = getXTeleportAuthUrl({ publicAddr: params.publicAddr, port });
if (path) {
url.searchParams.set('path', path);
Thanks! |
capnspacehook
force-pushed
the
capnspacehook/trusted-cluster-app-access-regression
branch
from
2fb2ca4 to
98494cd
Compare
capnspacehook
force-pushed
the
capnspacehook/trusted-cluster-app-access-regression
branch
2 times, most recently
from
a67cf46 to
8629517
Compare
|
Does this (Michael's patch) also fix #10671? |
capnspacehook
force-pushed
the
capnspacehook/trusted-cluster-app-access-regression
branch
from
8629517 to
d0d79b7
Compare
lib/web/app/handler.go
Outdated
| host := hostname | ||
| if req.requiresAppRedirect { | ||
| host = req.publicAddr | ||
| } |
There was a problem hiding this comment.
| host := hostname | |
| if req.requiresAppRedirect { | |
| host = req.publicAddr | |
| } | |
| if req.requiresAppRedirect { | |
| hostname = req.publicAddr | |
| } |
If you update the existing hostname variable instead of making a new variable with a similar name, there's less chance of us mistakenly using the wrong one later on in this function and breaking something.
There was a problem hiding this comment.
Thinking about this more I agree with how it's done now a bit more; if the variable is set to the public addr calling it hostname isn't very accurate anymore
There was a problem hiding this comment.
Then change the input paramater to something like addr.
Having two variables in scope with a similar name, where one works and the other doesn't is a recipe for failure.
There was a problem hiding this comment.
Fair enough, done
There was a problem hiding this comment.
I was hoping you would rename the function parameter, which was not done.
I don't want two variables in scope where one works and one doesn't. Let's make a single variable (which we overwrite if necessary), so there's no potential for confusion. As written, we still have addr and hostname in scope.
There was a problem hiding this comment.
Ah I see, I misunderstood. That makes sense, I renamed the hostname parameter to addr. This should make this function less confusing
public-teleport-github-review-bot
bot
removed request for
ryanclark,
kiosion and
kimlisa
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
capnspacehook
deleted the
capnspacehook/trusted-cluster-app-access-regression
branch
* only redirect to the public addr of an app when an app redirect is required * rename local variable from 'host' to 'addr' * rename param
|
Could we backport this to v16? According to #46951, it's broken on >= 16.4.0. |
* only redirect to the public addr of an app when an app redirect is required * rename local variable from 'host' to 'addr' * rename param
|
@ravicious @capnspacehook #49056 backported it to v16 here |
…49056) * only redirect to the public addr of an app when an app redirect is required * rename local variable from 'host' to 'addr' * rename param Co-authored-by: Andrew LeFevre <[email protected]>
Fixes #46951.
changelog: fix app access regression to apps on leaf clusters