Teleport Connect: Accept database name when setting up proxy (#12173) (…

…#12228)

* Add target_subresource_name to proto files

* Pass database name when creating certs and CLI command

lib/teleterm/api/proto/v1/gateway.proto

@@ -48,4 +48,7 @@ message Gateway {
     // This means that the Database Access team can add support for a new protocol and Teleterm will
     // support it right away without any changes to Teleterm's code.
     string cli_command = 8;
+    // target_subresource_name points at a subresource of the remote resource, for example a
+    // database name on a database server.
+    string target_subresource_name = 9;
 }

lib/teleterm/api/proto/v1/service.proto

@@ -127,6 +127,7 @@ message CreateGatewayRequest {
     string target_uri = 1;
     string target_user = 2;
     string local_port = 3;
+    string target_subresource_name = 4;
 }
 
 message ListGatewaysRequest { repeated string cluster_ids = 1; }

lib/teleterm/api/protogen/js/v1/gateway_pb.d.ts

@@ -31,6 +31,9 @@ export class Gateway extends jspb.Message {
     getCliCommand(): string;
     setCliCommand(value: string): Gateway;
 
+    getTargetSubresourceName(): string;
+    setTargetSubresourceName(value: string): Gateway;
+
 
     serializeBinary(): Uint8Array;
     toObject(includeInstance?: boolean): Gateway.AsObject;
@@ -52,5 +55,6 @@ export namespace Gateway {
         localPort: string,
         protocol: string,
         cliCommand: string,
+        targetSubresourceName: string,
     }
 }

lib/teleterm/api/protogen/js/v1/gateway_pb.js

@@ -73,7 +73,8 @@ proto.teleport.terminal.v1.Gateway.toObject = function(includeInstance, msg) {
     localAddress: jspb.Message.getFieldWithDefault(msg, 5, ""),
     localPort: jspb.Message.getFieldWithDefault(msg, 6, ""),
     protocol: jspb.Message.getFieldWithDefault(msg, 7, ""),
-    cliCommand: jspb.Message.getFieldWithDefault(msg, 8, "")
+    cliCommand: jspb.Message.getFieldWithDefault(msg, 8, ""),
+    targetSubresourceName: jspb.Message.getFieldWithDefault(msg, 9, "")
   };
 
   if (includeInstance) {
@@ -142,6 +143,10 @@ proto.teleport.terminal.v1.Gateway.deserializeBinaryFromReader = function(msg, r
       var value = /** @type {string} */ (reader.readString());
       msg.setCliCommand(value);
       break;
+    case 9:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setTargetSubresourceName(value);
+      break;
     default:
       reader.skipField();
       break;
@@ -227,6 +232,13 @@ proto.teleport.terminal.v1.Gateway.serializeBinaryToWriter = function(message, w
       f
     );
   }
+  f = message.getTargetSubresourceName();
+  if (f.length > 0) {
+    writer.writeString(
+      9,
+      f
+    );
+  }
 };
 
 
@@ -374,4 +386,22 @@ proto.teleport.terminal.v1.Gateway.prototype.setCliCommand = function(value) {
 };
 
 
+/**
+ * optional string target_subresource_name = 9;
+ * @return {string}
+ */
+proto.teleport.terminal.v1.Gateway.prototype.getTargetSubresourceName = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 9, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.teleport.terminal.v1.Gateway} returns this
+ */
+proto.teleport.terminal.v1.Gateway.prototype.setTargetSubresourceName = function(value) {
+  return jspb.Message.setProto3StringField(this, 9, value);
+};
+
+
 goog.object.extend(exports, proto.teleport.terminal.v1);

lib/teleterm/api/protogen/js/v1/service_pb.d.ts

@@ -402,6 +402,9 @@ export class CreateGatewayRequest extends jspb.Message {
     getLocalPort(): string;
     setLocalPort(value: string): CreateGatewayRequest;
 
+    getTargetSubresourceName(): string;
+    setTargetSubresourceName(value: string): CreateGatewayRequest;
+
 
     serializeBinary(): Uint8Array;
     toObject(includeInstance?: boolean): CreateGatewayRequest.AsObject;
@@ -418,6 +421,7 @@ export namespace CreateGatewayRequest {
         targetUri: string,
         targetUser: string,
         localPort: string,
+        targetSubresourceName: string,
     }
 }
 

lib/teleterm/api/protogen/js/v1/service_pb.js

@@ -2990,7 +2990,8 @@ proto.teleport.terminal.v1.CreateGatewayRequest.toObject = function(includeInsta
   var f, obj = {
     targetUri: jspb.Message.getFieldWithDefault(msg, 1, ""),
     targetUser: jspb.Message.getFieldWithDefault(msg, 2, ""),
-    localPort: jspb.Message.getFieldWithDefault(msg, 3, "")
+    localPort: jspb.Message.getFieldWithDefault(msg, 3, ""),
+    targetSubresourceName: jspb.Message.getFieldWithDefault(msg, 4, "")
   };
 
   if (includeInstance) {
@@ -3039,6 +3040,10 @@ proto.teleport.terminal.v1.CreateGatewayRequest.deserializeBinaryFromReader = fu
       var value = /** @type {string} */ (reader.readString());
       msg.setLocalPort(value);
       break;
+    case 4:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setTargetSubresourceName(value);
+      break;
     default:
       reader.skipField();
       break;
@@ -3089,6 +3094,13 @@ proto.teleport.terminal.v1.CreateGatewayRequest.serializeBinaryToWriter = functi
       f
     );
   }
+  f = message.getTargetSubresourceName();
+  if (f.length > 0) {
+    writer.writeString(
+      4,
+      f
+    );
+  }
 };
 
 
@@ -3146,6 +3158,24 @@ proto.teleport.terminal.v1.CreateGatewayRequest.prototype.setLocalPort = functio
 };
 
 
+/**
+ * optional string target_subresource_name = 4;
+ * @return {string}
+ */
+proto.teleport.terminal.v1.CreateGatewayRequest.prototype.getTargetSubresourceName = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 4, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.teleport.terminal.v1.CreateGatewayRequest} returns this
+ */
+proto.teleport.terminal.v1.CreateGatewayRequest.prototype.setTargetSubresourceName = function(value) {
+  return jspb.Message.setProto3StringField(this, 4, value);
+};
+
+
 
 /**
  * List of repeated fields within this message type.

lib/teleterm/apiserver/handler/handler_gateways.go

@@ -27,9 +27,10 @@ import (
 // CreateGateway creates a gateway
 func (s *Handler) CreateGateway(ctx context.Context, req *api.CreateGatewayRequest) (*api.Gateway, error) {
 	params := clusters.CreateGatewayParams{
-		TargetURI:  req.TargetUri,
-		TargetUser: req.TargetUser,
-		LocalPort:  req.LocalPort,
+		TargetURI:             req.TargetUri,
+		TargetUser:            req.TargetUser,
+		TargetSubresourceName: req.TargetSubresourceName,
+		LocalPort:             req.LocalPort,
 	}
 
 	gateway, err := s.DaemonService.CreateGateway(ctx, params)
@@ -68,13 +69,14 @@ func (s *Handler) RemoveGateway(ctx context.Context, req *api.RemoveGatewayReque
 
 func newAPIGateway(gateway *gateway.Gateway) *api.Gateway {
 	return &api.Gateway{
-		Uri:          gateway.URI.String(),
-		TargetUri:    gateway.TargetURI,
-		TargetName:   gateway.TargetName,
-		TargetUser:   gateway.TargetUser,
-		Protocol:     gateway.Protocol,
-		LocalAddress: gateway.LocalAddress,
-		LocalPort:    gateway.LocalPort,
-		CliCommand:   gateway.CLICommand,
+		Uri:                   gateway.URI.String(),
+		TargetUri:             gateway.TargetURI,
+		TargetName:            gateway.TargetName,
+		TargetUser:            gateway.TargetUser,
+		TargetSubresourceName: gateway.TargetSubresourceName,
+		Protocol:              gateway.Protocol,
+		LocalAddress:          gateway.LocalAddress,
+		LocalPort:             gateway.LocalPort,
+		CliCommand:            gateway.CLICommand,
 	}
 }

lib/teleterm/clusters/cluster_databases.go

@@ -89,7 +89,7 @@ func (c *Cluster) GetDatabases(ctx context.Context) ([]Database, error) {
 }
 
 // ReissueDBCerts issues new certificates for specific DB access
-func (c *Cluster) ReissueDBCerts(ctx context.Context, user string, db types.Database) error {
+func (c *Cluster) ReissueDBCerts(ctx context.Context, user, dbName string, db types.Database) error {
 	// When generating certificate for MongoDB access, database username must
 	// be encoded into it. This is required to be able to tell which database
 	// user to authenticate the connection as.
@@ -103,6 +103,7 @@ func (c *Cluster) ReissueDBCerts(ctx context.Context, user string, db types.Data
 			ServiceName: db.GetName(),
 			Protocol:    db.GetProtocol(),
 			Username:    user,
+			Database:    dbName,
 		},
 		AccessRequests: c.status.ActiveRequests.AccessRequests,
 	})
@@ -115,6 +116,7 @@ func (c *Cluster) ReissueDBCerts(ctx context.Context, user string, db types.Data
 		ServiceName: db.GetName(),
 		Protocol:    db.GetProtocol(),
 		Username:    user,
+		Database:    dbName,
 	}, c.status)
 	if err != nil {
 		return trace.Wrap(err)

lib/teleterm/clusters/cluster_gateways.go

@@ -32,6 +32,9 @@ type CreateGatewayParams struct {
 	TargetURI string
 	// TargetUser is the target user name
 	TargetUser string
+	// TargetSubresourceName points at a subresource of the remote resource, for example a database
+	// name on a database server.
+	TargetSubresourceName string
 	// LocalPort is the gateway local port
 	LocalPort string
 }
@@ -43,21 +46,22 @@ func (c *Cluster) CreateGateway(ctx context.Context, params CreateGatewayParams)
 		return nil, trace.Wrap(err)
 	}
 
-	if err := c.ReissueDBCerts(ctx, params.TargetUser, db); err != nil {
+	if err := c.ReissueDBCerts(ctx, params.TargetUser, params.TargetSubresourceName, db); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
 	gw, err := gateway.New(gateway.Config{
-		LocalPort:    params.LocalPort,
-		TargetURI:    params.TargetURI,
-		TargetUser:   params.TargetUser,
-		TargetName:   db.GetName(),
-		Protocol:     db.GetProtocol(),
-		KeyPath:      c.status.KeyPath(),
-		CertPath:     c.status.DatabaseCertPathForCluster("", db.GetName()),
-		Insecure:     c.clusterClient.InsecureSkipVerify,
-		WebProxyAddr: c.clusterClient.WebProxyAddr,
-		Log:          c.Log.WithField("gateway", params.TargetURI),
+		LocalPort:             params.LocalPort,
+		TargetURI:             params.TargetURI,
+		TargetUser:            params.TargetUser,
+		TargetName:            db.GetName(),
+		TargetSubresourceName: params.TargetSubresourceName,
+		Protocol:              db.GetProtocol(),
+		KeyPath:               c.status.KeyPath(),
+		CertPath:              c.status.DatabaseCertPathForCluster("", db.GetName()),
+		Insecure:              c.clusterClient.InsecureSkipVerify,
+		WebProxyAddr:          c.clusterClient.WebProxyAddr,
+		Log:                   c.Log.WithField("gateway", params.TargetURI),
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -77,6 +81,7 @@ func buildCLICommand(c *Cluster, gw *gateway.Gateway) (*exec.Cmd, error) {
 		ServiceName: gw.TargetName,
 		Protocol:    gw.Protocol,
 		Username:    gw.TargetUser,
+		Database:    gw.TargetSubresourceName,
 	}
 
 	cmd, err := dbcmd.NewCmdBuilder(c.clusterClient, &c.status, &routeToDb, c.URI.GetRootClusterName(),

lib/teleterm/gateway/config.go

@@ -35,6 +35,9 @@ type Config struct {
 	TargetURI string
 	// TargetUser is the target user name
 	TargetUser string
+	// TargetSubresourceName points at a subresource of the remote resource, for example a database
+	// name on a database server.
+	TargetSubresourceName string
 
 	// Port is the gateway port
 	LocalPort string