Commits on Oct 14, 2024

1. Fix active session filtering for legacy sessions …

   This code never worked correctly, but mostly went unnoticed because
   it is only triggered when using legacy roles prior to RoleV5.
   
   Prior to moderated sessions, RBAC for viewing active sessions was
   based on whether or not you could join a session as the OS login
   that is being used, along with a pseudo-resource of kind "ssh_session".
   
   With moderated sessions we introduced more flexible RBAC semantics
   that allow you to join sessions in different modes (peer, observer,
   moderator), even if you don't actually have permission to start
   sessions.
   
   In #11223 we decided that we need to support both types of RBAC checks
   (legacy checks against the "ssh_session" resource, and newer checks
   against the session_tracker and join_sessions policies). The code that
   was doing the legacy checks was flawed for two reasons:
   
   1. It used (types.SessionTracker).GetKind() (which will always be
      "session_tracker") instead of
      (types.SessionTracker).GetSessionKind().
   2. When checking whether the session was SSH, it was checking for
      the legacy "ssh_session" value, instead of the "ssh" value that
      session trackers actually use.

   

   zmb3 authored and github-actions committed Oct 14, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 2ad312b
   • Browse repository at this point

   Copy the full SHA

   2ad312b View commit details

   Browse the repository at this point in the history