gravitational · ravicious · Oct 22, 2024 · Oct 23, 2024 · Oct 28, 2024 · Oct 28, 2024
diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/proto/teleport/legacy/client/proto/authservice.proto b/api/proto/teleport/legacy/client/proto/authservice.proto
@@ -316,7 +316,7 @@
 }

 // RouteToApp contains parameters for application access certificate requests.
 message RouteToApp {
  reserved 2; // SessionID, jsontag "session_id"
  reserved "SessionID";

@@ -333,7 +333,13 @@
   // GCPServiceAccount is the GCP service account to assume when accessing GCP API.
   string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
   // URI is the URI of the app. This is the internal endpoint where the application is running and isn't user-facing.
+  // Used merely for audit events and mirrors the URI from the app spec. Not used as a source of
+  // truth when routing connections.
   string URI = 8 [(gogoproto.jsontag) = "uri,omitempty"];
+  // TargetPort signifies that the cert grants access to a specific port in a multi-port TCP app, as
+  // long as the port is defined in the app spec. When specified, it must be between 1 and 65535.
+  // Used only for routing, should not be used in other contexts (e.g., access requests).
+  uint32 TargetPort = 9 [(gogoproto.jsontag) = "target_port,omitempty"];
 }
 
 // GetUserRequest specifies parameters for the GetUser method.

diff --git a/api/proto/teleport/legacy/types/events/events.proto b/api/proto/teleport/legacy/types/events/events.proto
@@ -2663,11 +2663,14 @@
  string AppPublicAddr = 2 [(gogoproto.jsontag) = "app_public_addr,omitempty"];
  // AppLabels are the configured application labels.
  map<string, string> AppLabels = 3 [
    (gogoproto.nullable) = false,
    (gogoproto.jsontag) = "app_labels,omitempty"
   ];
   // AppName is the configured application name.
   string AppName = 4 [(gogoproto.jsontag) = "app_name,omitempty"];
+  // AppTargetPort signifies that the app is a multi-port TCP app and says which port was used to
+  // access the app. This field is not set for other types of apps, including single-port TCP apps.
+  uint32 AppTargetPort = 5 [(gogoproto.jsontag) = "app_target_port,omitempty"];
 }
 
 // AppCreate is emitted when a new application resource is created.
@@ -4809,7 +4812,7 @@
  // Name is the application name certificate is being requested for.
  string Name = 1 [(gogoproto.jsontag) = "name"];
  // SessionID is the ID of the application session.
  string SessionID = 2 [(gogoproto.jsontag) = "session_id"];
  // PublicAddr is the application public address.
  string PublicAddr = 3 [(gogoproto.jsontag) = "public_addr"];
  // ClusterName is the cluster where the application resides.
@@ -4822,6 +4825,9 @@
   string GCPServiceAccount = 7 [(gogoproto.jsontag) = "gcp_service_account,omitempty"];
   // URI is the application URI.
   string URI = 8 [(gogoproto.jsontag) = "uri,omitempty"];
+  // TargetPort signifies that the user accessed a specific port in a multi-port TCP app. The value
+  // must be between 1 and 65535.
+  uint32 TargetPort = 9 [(gogoproto.jsontag) = "target_port,omitempty"];
 }
 
 // RouteToDatabase combines parameters for database service routing information.

diff --git a/api/types/derived.gen.go b/api/types/derived.gen.go