Emitting audit event and controls message for additional parties, i.e…

…. not the session initiator
gravitational · Sep 19, 2024 · b66ad27 · b66ad27
1 parent f7b895d
commit b66ad27
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/lib/kube/proxy/sess.go b/lib/kube/proxy/sess.go
@@ -952,8 +952,8 @@ func (s *session) lockedSetupLaunch(request *remoteCommandRequest, eventPodMeta
 
 // join attempts to connect a party to the session.
 func (s *session) join(p *party) error {
-	additionalParty := p.Ctx.User.GetName() != s.ctx.User.GetName()
-	if additionalParty {
+	sessInitiator := len(s.parties) == 0
+	if !sessInitiator {
 		roles := p.Ctx.Checker.Roles()
 
 		accessContext := auth.SessionAccessContext{
@@ -985,7 +985,7 @@ func (s *session) join(p *party) error {
 	// We only want to emit the session.join when someone tries to join a session via
 	// tsh kube join and not when the original session owner terminal streams are
 	// connected to the Kubernetes session.
-	if additionalParty {
+	if !sessInitiator {
 		s.emitSessionJoinEvent(p)
 	}
 
@@ -1021,7 +1021,7 @@ func (s *session) join(p *party) error {
 	s.io.AddWriter(stringID, p.Client.stdoutStream())
 
 	// Send the participant mode and controls to the additional participant
-	if additionalParty {
+	if !sessInitiator {
 		err := srv.MsgParticipantCtrls(p.Client.stdoutStream(), p.Mode)
 		if err != nil {
 			s.log.Errorf("Could not send intro message to participant: %v", err)

diff --git a/lib/srv/sess.go b/lib/srv/sess.go
@@ -1929,7 +1929,8 @@ func (s *session) addParty(p *party, mode types.SessionParticipantMode) error {
 		return trace.AccessDenied("The requested session is not active")
 	}
 
-	if len(s.parties) == 0 {
+	sessInitiator := len(s.parties) == 0
+	if sessInitiator {
 		canStart, _, err := s.checkIfStart()
 		if err != nil {
 			return trace.Wrap(err)
@@ -1962,7 +1963,7 @@ func (s *session) addParty(p *party, mode types.SessionParticipantMode) error {
 	s.io.AddWriter(string(p.id), p)
 
 	// Send the participant mode and controls to the additional participant
-	if s.login != p.login {
+	if !sessInitiator {
 		err := MsgParticipantCtrls(p.ch, mode)
 		if err != nil {
 			s.log.Errorf("Could not send intro message to participant: %v", err)
@@ -2019,7 +2020,8 @@ func (s *session) addParty(p *party, mode types.SessionParticipantMode) error {
 }
 
 func (s *session) join(ch ssh.Channel, scx *ServerContext, mode types.SessionParticipantMode) error {
-	if scx.Identity.TeleportUser != s.initiator {
+	sessInitiator := len(s.parties) == 0
+	if !sessInitiator {
 		accessContext := auth.SessionAccessContext{
 			Username: scx.Identity.TeleportUser,
 			Roles:    scx.Identity.AccessChecker.Roles(),
@@ -2055,8 +2057,10 @@ func (s *session) join(ch ssh.Channel, scx *ServerContext, mode types.SessionPar
 		return trace.Wrap(err)
 	}
 
-	// Emit session join event to the Audit Log
-	s.emitSessionJoinEvent(p.ctx)
+	// Emit session join event to the audit log for additional parties
+	if !sessInitiator {
+		s.emitSessionJoinEvent(p.ctx)
+	}
 
 	return nil
 }