gravitational · andrejtokarcik · Apr 26, 2021 · Apr 13, 2021 · Apr 14, 2021 · Apr 23, 2021
diff --git a/integration/app_integration_test.go b/integration/app_integration_test.go
@@ -764,8 +764,8 @@ func (p *pack) createAppSession(t *testing.T, publicAddr, clusterName string) st
 	require.NotEmpty(t, p.webCookie)
 	require.NotEmpty(t, p.webToken)
 
-	casReq, err := json.Marshal(web.CreateAppSessionRequest{
-		FQDN:        publicAddr,
+	casReq, err := json.Marshal(web.AppResolveParams{
+		FQDNHint:    publicAddr,
 		PublicAddr:  publicAddr,
 		ClusterName: clusterName,
 	})

diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
@@ -351,6 +351,9 @@ func NewHandler(cfg Config, opts ...HandlerOption) (*RewritingHandler, error) {
 	h.POST("/webapi/trustedcluster", h.WithAuth(h.upsertTrustedClusterHandle))
 	h.DELETE("/webapi/trustedcluster/:name", h.WithAuth(h.deleteTrustedCluster))
 
+	h.GET("/webapi/apps/:fqdnHint", h.WithAuth(h.getAppFQDN))
+	h.GET("/webapi/apps/:fqdnHint/:clusterName/:publicAddr", h.WithAuth(h.getAppFQDN))
+
 	// if Web UI is enabled, check the assets dir:
 	var indexPage *template.Template
 	if cfg.StaticFS != nil {
@@ -1246,7 +1249,7 @@ func newSessionResponse(ctx *SessionContext) (*CreateSessionResponse, error) {
 
 // createWebSession creates a new web session based on user, pass and 2nd factor token
 //
-// POST /v1/webapi/sessions
+// POST /v1/webapi/sessions/web
 //
 // {"user": "alex", "pass": "abc123", "second_factor_token": "token", "second_factor_type": "totp"}
 //

diff --git a/lib/web/apiserver_test.go b/lib/web/apiserver_test.go
@@ -1836,8 +1836,8 @@ func TestApplicationAccessDisabled(t *testing.T) {
 	require.NoError(t, err)
 
 	endpoint := pack.clt.Endpoint("webapi", "sessions", "app")
-	_, err = pack.clt.PostJSON(context.Background(), endpoint, &CreateAppSessionRequest{
-		FQDN:        "panel.example.com",
+	_, err = pack.clt.PostJSON(context.Background(), endpoint, &AppResolveParams{
+		FQDNHint:    "panel.example.com",
 		PublicAddr:  "panel.example.com",
 		ClusterName: "localhost",
 	})
@@ -1882,15 +1882,15 @@ func (s *WebSuite) TestCreateAppSession(c *C) {
 
 	var tests = []struct {
 		inComment       CommentInterface
-		inCreateRequest *CreateAppSessionRequest
+		inCreateRequest *AppResolveParams
 		outError        bool
 		outFQDN         string
 		outUsername     string
 	}{
 		{
 			inComment: Commentf("Valid request: all fields."),
-			inCreateRequest: &CreateAppSessionRequest{
-				FQDN:        "panel.example.com",
+			inCreateRequest: &AppResolveParams{
+				FQDNHint:    "panel.example.com",
 				PublicAddr:  "panel.example.com",
 				ClusterName: "localhost",
 			},
@@ -1900,7 +1900,7 @@ func (s *WebSuite) TestCreateAppSession(c *C) {
 		},
 		{
 			inComment: Commentf("Valid request: without FQDN."),
-			inCreateRequest: &CreateAppSessionRequest{
+			inCreateRequest: &AppResolveParams{
 				PublicAddr:  "panel.example.com",
 				ClusterName: "localhost",
 			},
@@ -1910,49 +1910,49 @@ func (s *WebSuite) TestCreateAppSession(c *C) {
 		},
 		{
 			inComment: Commentf("Valid request: only FQDN."),
-			inCreateRequest: &CreateAppSessionRequest{
-				FQDN: "panel.example.com",
+			inCreateRequest: &AppResolveParams{
+				FQDNHint: "panel.example.com",
 			},
 			outError:    false,
 			outFQDN:     "panel.example.com",
 			outUsername: "[email protected]",
 		},
 		{
 			inComment: Commentf("Invalid request: only public address."),
-			inCreateRequest: &CreateAppSessionRequest{
+			inCreateRequest: &AppResolveParams{
 				PublicAddr: "panel.example.com",
 			},
 			outError: true,
 		},
 		{
 			inComment: Commentf("Invalid request: only cluster name."),
-			inCreateRequest: &CreateAppSessionRequest{
+			inCreateRequest: &AppResolveParams{
 				ClusterName: "localhost",
 			},
 			outError: true,
 		},
 		{
 			inComment: Commentf("Invalid application."),
-			inCreateRequest: &CreateAppSessionRequest{
-				FQDN:        "panel.example.com",
+			inCreateRequest: &AppResolveParams{
+				FQDNHint:    "panel.example.com",
 				PublicAddr:  "invalid.example.com",
 				ClusterName: "localhost",
 			},
 			outError: true,
 		},
 		{
 			inComment: Commentf("Invalid cluster name."),
-			inCreateRequest: &CreateAppSessionRequest{
-				FQDN:        "panel.example.com",
+			inCreateRequest: &AppResolveParams{
+				FQDNHint:    "panel.example.com",
 				PublicAddr:  "panel.example.com",
 				ClusterName: "example.com",
 			},
 			outError: true,
 		},
 		{
 			inComment: Commentf("Malicious request: all fields."),
-			inCreateRequest: &CreateAppSessionRequest{
-				FQDN:        "[email protected]",
+			inCreateRequest: &AppResolveParams{
+				FQDNHint:    "[email protected]",
 				PublicAddr:  "panel.example.com",
 				ClusterName: "localhost",
 			},
@@ -1962,8 +1962,8 @@ func (s *WebSuite) TestCreateAppSession(c *C) {
 		},
 		{
 			inComment: Commentf("Malicious request: only FQDN."),
-			inCreateRequest: &CreateAppSessionRequest{
-				FQDN: "[email protected]",
+			inCreateRequest: &AppResolveParams{
+				FQDNHint: "[email protected]",
 			},
 			outError: true,
 		},

diff --git a/lib/web/app/fragment.go b/lib/web/app/fragment.go
@@ -43,21 +43,22 @@ type fragmentRequest struct {
 func (h *Handler) handleFragment(w http.ResponseWriter, r *http.Request, p httprouter.Params) error {
 	switch r.Method {
 	case http.MethodGet:
+		q := r.URL.Query()
 		// If the state query parameter is not set, generate a new state token,
 		// store it in a cookie and redirect back to the app launcher.
-		if r.URL.Query().Get("state") == "" {
+		if q.Get("state") == "" {
 			stateToken, err := utils.CryptoRandomHex(auth.TokenLenBytes)
 			if err != nil {
 				h.log.WithError(err).Debugf("Failed to generate and encode random numbers.")
 				return trace.AccessDenied("access denied")
 			}
 			h.setAuthStateCookie(w, stateToken)
-			p := launcherURLParams{
-				clusterName: r.URL.Query().Get("cluster"),
-				publicAddr:  r.URL.Query().Get("addr"),
+			urlParams := launcherURLParams{
+				clusterName: q.Get("cluster"),
+				publicAddr:  q.Get("addr"),
 				stateToken:  stateToken,
 			}
-			return h.redirectToLauncher(w, r, p)
+			return h.redirectToLauncher(w, r, urlParams)
 		}
 
 		nonce, err := utils.CryptoRandomHex(auth.TokenLenBytes)

diff --git a/lib/web/apps.go b/lib/web/apps.go
@@ -55,9 +55,9 @@ func (h *Handler) siteAppsGet(w http.ResponseWriter, r *http.Request, p httprout
 	return makeResponse(ui.MakeApps(h.auth.clusterName, h.proxyDNSName(), appClusterName, appServers))
 }
 
-type CreateAppSessionRequest struct {
-	// FQDN is the fully qualified domain name of the application.
-	FQDN string `json:"fqdn"`
+type AppResolveParams struct {
+	// FQDNHint indicates (tentatively) the fully qualified domain name of the application.
+	FQDNHint string `json:"fqdn"`
 
 	// PublicAddr is the public address of the application.
 	PublicAddr string `json:"public_addr"`
@@ -66,15 +66,58 @@ type CreateAppSessionRequest struct {
 	ClusterName string `json:"cluster_name"`
 }
 
+type GetAppFQDNResponse struct {
+	// FQDN is application FQDN.
+	FQDN string `json:"fqdn"`
+}
+
 type CreateAppSessionResponse struct {
 	// CookieValue is the application session cookie value.
 	CookieValue string `json:"value"`
 	// FQDN is application FQDN.
 	FQDN string `json:"fqdn"`
 }
 
+// getAppFQDN resolves the input params to a known application and returns
+// its valid FQDN.
+//
+// GET /v1/webapi/apps/:fqdn/:clusterName/:publicAddr
+func (h *Handler) getAppFQDN(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *SessionContext) (interface{}, error) {
+	req := &AppResolveParams{
+		FQDNHint:    p.ByName("fqdnHint"),
+		ClusterName: p.ByName("clusterName"),
+		PublicAddr:  p.ByName("publicAddr"),
+	}
+
+	// Get an auth client connected with the user's identity.
+	authClient, err := ctx.GetClient()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	// Get a reverse tunnel proxy aware of the user's permissions.
+	proxy, err := h.ProxyWithRoles(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	// Use the information the caller provided to attempt to resolve to an
+	// application running within either the root or leaf cluster.
+	result, err := h.resolveApp(r.Context(), authClient, proxy, req)
+	if err != nil {
+		return nil, trace.Wrap(err, "Unable to resolve FQDN: %v", req.FQDNHint)
+	}
+
+	return &GetAppFQDNResponse{
+		FQDN: result.FQDN,
+	}, nil
+}
+
+// createAppSession creates a new application session.
+//
+// POST /v1/webapi/sessions/app
 func (h *Handler) createAppSession(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *SessionContext) (interface{}, error) {
-	var req *CreateAppSessionRequest
+	var req *AppResolveParams
 	if err := httplib.ReadJSON(r, &req); err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -93,9 +136,9 @@ func (h *Handler) createAppSession(w http.ResponseWriter, r *http.Request, p htt
 
 	// Use the information the caller provided to attempt to resolve to an
 	// application running within either the root or leaf cluster.
-	result, err := h.validateAppSessionRequest(r.Context(), authClient, proxy, req)
+	result, err := h.resolveApp(r.Context(), authClient, proxy, req)
 	if err != nil {
-		return nil, trace.Wrap(err, "Unable to resolve FQDN: %v", req.FQDN)
+		return nil, trace.Wrap(err, "Unable to resolve FQDN: %v", req.FQDNHint)
 	}
 
 	h.log.Debugf("Creating application web session for %v in %v.", result.PublicAddr, result.ClusterName)
@@ -175,7 +218,7 @@ func (h *Handler) waitForAppSession(ctx context.Context, sessionID, user string)
 	return auth.WaitForAppSession(ctx, sessionID, user, h.cfg.AccessPoint)
 }
 
-func (h *Handler) validateAppSessionRequest(ctx context.Context, clt app.Getter, proxy reversetunnel.Tunnel, req *CreateAppSessionRequest) (*validateAppSessionResult, error) {
+func (h *Handler) resolveApp(ctx context.Context, clt app.Getter, proxy reversetunnel.Tunnel, req *AppResolveParams) (*resolveAppResult, error) {
 	var (
 		app            *services.App
 		server         services.Server
@@ -189,23 +232,23 @@ func (h *Handler) validateAppSessionRequest(ctx context.Context, clt app.Getter,
 	if req.PublicAddr != "" && req.ClusterName != "" {
 		app, server, appClusterName, err = h.resolveDirect(ctx, proxy, req.PublicAddr, req.ClusterName)
 	} else {
-		app, server, appClusterName, err = h.resolveFQDN(ctx, clt, proxy, req.FQDN)
+		app, server, appClusterName, err = h.resolveFQDN(ctx, clt, proxy, req.FQDNHint)
 	}
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
 	fqdn := ui.AssembleAppFQDN(h.auth.clusterName, h.proxyDNSName(), appClusterName, app)
 
-	return &validateAppSessionResult{
+	return &resolveAppResult{
 		ServerID:    server.GetName(),
 		FQDN:        fqdn,
 		PublicAddr:  app.PublicAddr,
 		ClusterName: appClusterName,
 	}, nil
 }
 
-type validateAppSessionResult struct {
+type resolveAppResult struct {
 	// ServerID is the ID of the server this application is running on.
 	ServerID string
 	// FQDN is the best effort FQDN resolved for this application.