feature(pam): windows RDP support and S3 recording overrides#6936
feature(pam): windows RDP support and S3 recording overrides#6936bernie-g wants to merge 13 commits into
Conversation
|
💬 Discussion in Slack: #pr-review-infisical-6936-feat-pam-add-windows-rdp-support Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
Wire Windows/RDP account type into the c5 PAM model: - Backend: Windows account schemas, RDP session handler, legacy alias resolution, session activation fix, S3 recording config resolution from template settings - Frontend: RDP web access, WASM-based session recording playback, account type resolution, S3 recording configuration in template settings
…tivation - Account-level recording settings (S3 bucket/region/keyPrefix override) - CORS probe URL returned after S3 config save, frontend warns on misconfigured CORS - Bucket change warning alert on template and account sheets - Trim whitespace on S3 config fields to prevent validation failures - Activate CLI sessions immediately on creation instead of waiting for first client connection
- Remove duplicate recording connection picker from template settings tab - Remove recording enabled toggle (recording is always on) - Rename storage backend label to Internal Database - Add docs link to CORS warning notification - Fix double cleanup in RDP session handler
bernie-g
changed the title
bernie-g
changed the title
bernie-g
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d913e7ac2e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
| Filename | Overview |
|---|---|
| backend/src/ee/services/pam-session-recording/pam-recording-chunk-service.ts | Implements account-level S3 config resolution for recording chunks, but resolveRecordingConfig only reads account.recordingConnectionId (account-level column) and does not fall back to account.templateRecordingConnectionId, breaking recordings for accounts that rely on the template's connection. |
| backend/src/ee/services/pam-web-access/rdp/pam-rdp-session-handler.ts | New RDP TCP-proxy session handler; post-connection teardown paths call onCleanup correctly, but pre-connection failure (initial TCP error or connect timeout) omits the onCleanup call before rejecting. |
| backend/src/ee/services/pam/pam-validators.ts | Adds validateRecordingS3Config and mintCorsProbeUrl; user-supplied region string is only type-cast to AWSRegion rather than validated against the enum, allowing arbitrary strings to reach AWS endpoint construction. |
| backend/src/ee/services/pam-account/pam-account-service.ts | Adds account-level recordingSettings S3 override support for create and update flows, with CORS probe URL generation; update path silently skips S3 validation if no connection ID can be resolved. |
| backend/src/ee/services/pam-session/pam-session-service.ts | CLI session now activated immediately on creation; recording backend is resolved from template settings; connection details are normalized before being returned to the gateway. |
| backend/src/ee/services/pam-web-access/pam-web-access-service.ts | Routes Windows accounts to the new RDP protocol and defers session activation to the gateway for RDP; clean separation from SSH/Postgres web access path. |
| backend/src/db/migrations/20260619144500_pam-account-recording-settings.ts | Additive migration adds nullable recordingSettings JSONB column to pam_accounts; guarded with hasColumn checks in both up and down. |
| frontend/src/pages/pam/PamSessionsPage/components/RdpReplayView/rdpReplayPlayer.ts | New WASM-backed RDP session replay player; RAF-driven playback with buffering, append streaming, and dirty-rect blitting; thorough lifecycle and dispose handling. |
| frontend/src/pages/pam/PamAccountsPage/components/AccountDetailSheet.tsx | Adds account-level S3 recording override UI with CORS probe on save and inline warning about bucket migration; straightforward form extension. |
| backend/src/ee/services/pam-account-template/pam-account-template-service.ts | Template create/update now validates S3 config against the AWS connection and returns a CORS probe URL; logic mirrors the account service correctly. |
Reviews (1): Last reviewed commit: "chore(pam): fix lint and prettier format..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
…te recording connection fallback
…call onCleanup on pre-connect failures
![veria-ai[bot]](https://avatars.githubusercontent.com/in/1723776?s=60&v=4){kind=small}
| connectionId: string, | ||
| s3Config: { bucket: string; region: string; keyPrefix?: string } | ||
| ): Promise<TPamRecordingResolvedConfig> => { | ||
| const raw = await appConnectionDAL.findById(connectionId); |
There was a problem hiding this comment.
Medium: Unauthorized app connection use
recordingConnectionId is only checked by org membership before this helper decrypts and uses the connection's AWS credentials. A PAM account/template editor who knows another AWS app connection ID in the org can configure S3 recording with it and make the backend perform S3 Head/Put/Delete operations and mint recording URLs without having Connect permission to that connection or confirming the connection belongs to the PAM project. Validate the connection the same way other app-connection consumers do: require AWS, allow only org-scoped or same-project connections, and enforce the caller's app-connection connect permission before decrypting or using the credentials.
PR overviewThis pull request adds Windows RDP support for PAM and introduces S3 recording override configuration, including validation around the AWS connection used for recording storage. There is one open security issue: S3 recording configuration can reference an AWS app connection based only on organization membership, rather than enforcing the expected connection permission and project-scope checks. In practice, a PAM account or template editor with knowledge of another connection ID in the same organization could cause backend S3 operations to run through that connection. No issues have been addressed yet, so the PR still needs a permission/scope validation fix before this area is safe to merge. Open issues (1)
Fixed/addressed: 0 · PR risk: 6/10 |
1 participant
Context
Adds Windows RDP support to the PAM revamp and enables account-level S3 recording config overrides. Includes CORS probe after S3 config save, CLI session activation on creation, and cleanup fixes for the RDP session handler.
https://linear.app/infisical/issue/PAM-263/add-windows-account-rdp-web-and-cli
Type
Checklist