feat(pam): rdp browser client

packages/gateway-v2/gateway.go

@@ -35,6 +35,7 @@ const (
 	ForwardModeHTTP            ForwardMode = "HTTP"
 	ForwardModeTCP             ForwardMode = "TCP"
 	ForwardModePAM             ForwardMode = "PAM"
+	ForwardModePAMRDPBrowser   ForwardMode = "PAM_RDP_BROWSER"
 	ForwardModePAMCancellation ForwardMode = "PAM_CANCELLATION"
 	ForwardModePAMCapabilities ForwardMode = "PAM_CAPABILITIES"
 	ForwardModePing            ForwardMode = "PING"
@@ -706,7 +707,7 @@ func (g *Gateway) setupTLSConfig() error {
 		ClientCAs:  clientCAPool,
 		ClientAuth: tls.RequireAndVerifyClientCert,
 		MinVersion: tls.VersionTLS12,
-		NextProtos: []string{"infisical-http-proxy", "infisical-tcp-proxy", "infisical-health", "infisical-ping", "infisical-pam-proxy", "infisical-pam-session-cancellation", "infisical-pam-capabilities"},
+		NextProtos: []string{"infisical-http-proxy", "infisical-tcp-proxy", "infisical-health", "infisical-ping", "infisical-pam-proxy", "infisical-pam-rdp-browser", "infisical-pam-session-cancellation", "infisical-pam-capabilities"},
 	}
 
 	return nil
@@ -869,7 +870,7 @@ func (g *Gateway) handleIncomingChannel(newChannel ssh.NewChannel) {
 			log.Info().Msg("TCP proxy handler completed")
 		}
 		return
-	} else if forwardConfig.Mode == ForwardModePAM {
+	} else if forwardConfig.Mode == ForwardModePAM || forwardConfig.Mode == ForwardModePAMRDPBrowser {
 		// RDP only: prior bridge must fully tear down before the new one starts,
 		// else overlapping drains write non-monotonic elapsedMs to the recording.
 		if forwardConfig.PAMConfig.ResourceType == session.ResourceTypeWindows {
@@ -882,7 +883,8 @@ func (g *Gateway) handleIncomingChannel(newChannel ssh.NewChannel) {
 			g.DeregisterPAMSession(forwardConfig.PAMConfig.SessionId, tlsConn)
 		}()
 		forwardConfig.PAMConfig.OnActivity = touchSession
-		if err := pam.HandlePAMProxy(sessionCtx, tlsConn, &forwardConfig.PAMConfig, g.httpClient); err != nil {
+		browserRDP := forwardConfig.Mode == ForwardModePAMRDPBrowser
+		if err := pam.HandlePAMProxy(sessionCtx, tlsConn, &forwardConfig.PAMConfig, g.httpClient, browserRDP); err != nil {
 			if err.Error() == "unexpected EOF" {
 				log.Debug().Err(err).Msg("PAM proxy handler ended with unexpected connection termination")
 			} else {
@@ -953,6 +955,10 @@ func (g *Gateway) parseForwardConfigFromALPN(tlsConn *tls.Conn, reader *bufio.Re
 		config.Mode = ForwardModePAM
 		return config, nil
 
+	case "infisical-pam-rdp-browser":
+		config.Mode = ForwardModePAMRDPBrowser
+		return config, nil
+
 	case "infisical-pam-session-cancellation":
 		config.Mode = ForwardModePAMCancellation
 		return config, nil

packages/pam/handlers/rdp/bridge_cgo_shared.go

@@ -20,45 +20,59 @@ import (
 )
 
 func (p *RDPProxy) HandleConnection(ctx context.Context, clientConn net.Conn) error {
+	return p.handleConnectionWith(ctx, clientConn, func() (*Bridge, error) {
+		return StartWithReadWriter(
+			clientConn,
+			p.config.TargetHost,
+			p.config.TargetPort,
+			p.config.InjectUsername,
+			p.config.InjectPassword,
+			p.config.InjectDomain,
+		)
+	})
+}
+
+// HandleConnectionRDCleanPath is the browser-flow variant (RDCleanPath instead of X.224).
+func (p *RDPProxy) HandleConnectionRDCleanPath(ctx context.Context, clientConn net.Conn) error {
+	return p.handleConnectionWith(ctx, clientConn, func() (*Bridge, error) {
+		return StartRDCleanPathWithReadWriter(
+			clientConn,
+			p.config.TargetHost,
+			p.config.TargetPort,
+			p.config.InjectUsername,
+			p.config.InjectPassword,
+			p.config.InjectDomain,
+			BrowserAcceptorUsername,
+		)
+	})
+}
+
+func (p *RDPProxy) handleConnectionWith(ctx context.Context, clientConn net.Conn, start func() (*Bridge, error)) error {
 	defer clientConn.Close()
 	if p.config.SessionLogger != nil {
 		defer func() {
 			_ = p.config.SessionLogger.Close()
 		}()
 	}
 
-	bridge, err := StartWithReadWriter(
-		clientConn,
-		p.config.TargetHost,
-		p.config.TargetPort,
-		p.config.InjectUsername,
-		p.config.InjectPassword,
-		p.config.InjectDomain,
-	)
+	bridge, err := start()
 	if err != nil {
 		return fmt.Errorf("rdp proxy: start bridge: %w", err)
 	}
 	defer bridge.Close()
 
-	// Drain bridge tap events into the session logger. The Rust side closes
-	// the events channel when the session ends, so the goroutine exits via
-	// PollEnded without needing an explicit shutdown signal.
 	drainCtx, cancelDrain := context.WithCancel(ctx)
 	drainDone := make(chan struct{})
 	go func() {
 		defer close(drainDone)
 		drainBridgeEvents(drainCtx, bridge, p.config.SessionLogger, p.config.SessionID, p.config.PriorElapsedNs, p.config.SessionUploader)
 	}()
-	// Wait for the drain to finish naturally on the normal-end path so the
-	// tail of the recording isn't dropped: PollEnded fires after the Rust
-	// side closes the events channel (post bridge.Wait return). Cancellation
-	// paths trigger cancelDrain() explicitly below to bail early.
+	// Let drain finish so recording tail isn't dropped; cancel paths bail early
 	defer func() {
 		select {
 		case <-drainDone:
 		case <-time.After(2 * pollTimeout):
 		}
-		// Always release the drain context (no-op if already cancelled).
 		cancelDrain()
 	}()
 
@@ -95,8 +109,7 @@ func (b *Bridge) Wait() error {
 	}
 }
 
-// Cancel is idempotent and safe from any goroutine, including
-// concurrently with Wait.
+// Cancel is idempotent and safe from any goroutine.
 func (b *Bridge) Cancel() error {
 	rc := C.rdp_bridge_cancel(C.uint64_t(b.handle))
 	if rc == C.RDP_BRIDGE_INVALID_HANDLE {
@@ -120,9 +133,7 @@ func (b *Bridge) Close() error {
 // True when the real bridge is compiled in (vs the stub).
 func IsSupported() bool { return true }
 
-// PollEvent drains one tap event with the given timeout. The returned Event
-// is only meaningful when result == PollOK. PollEvent is not safe to call
-// concurrently for the same Bridge; serialize calls in a single goroutine.
+// PollEvent drains one tap event. Not safe to call concurrently for the same Bridge.
 func (b *Bridge) PollEvent(timeout time.Duration) (PollResult, Event, error) {
 	timeoutMs := timeout.Milliseconds()
 	if timeoutMs < 0 {
@@ -164,8 +175,7 @@ func (b *Bridge) PollEvent(timeout time.Duration) (PollResult, Event, error) {
 		ev.X = uint16(raw.value_a)
 		ev.Y = uint16(raw.value_b)
 	case EventTypeTargetFrame:
-		// Always free the libc-malloc'd buffer Rust handed us, even if
-		// the copy below is empty -- ownership transfer is unconditional.
+		// Ownership transferred from Rust; always free even if empty
 		if raw.payload_ptr != nil {
 			defer C.free(unsafe.Pointer(raw.payload_ptr))
 			if raw.payload_len > 0 {

packages/pam/handlers/rdp/bridge_cgo_unix.go

@@ -21,19 +21,25 @@ import (
 )
 
 // StartWithConn hands an independent dup of conn's fd to the bridge.
-// For TLS-wrapped or otherwise non-fd-backed conns, use StartWithReadWriter.
-// `domain` is empty for local accounts; set to the AD domain name for
-// domain-joined NTLM CredSSP.
 func StartWithConn(conn net.Conn, targetHost string, targetPort uint16, username, password, domain string) (*Bridge, error) {
 	dupFd, err := dupConnFD(conn)
 	if err != nil {
 		return nil, fmt.Errorf("rdp bridge: dup client fd: %w", err)
 	}
-	return startWithDupedFD(dupFd, targetHost, targetPort, username, password, domain)
+	return startWithDupedFD(dupFd, targetHost, targetPort, username, password, domain, "")
 }
 
-// Ownership of dupFd transfers to Rust on success; we close it on failure.
-func startWithDupedFD(dupFd int, targetHost string, targetPort uint16, username, password, domain string) (*Bridge, error) {
+// StartRDCleanPathWithConn is the browser-flow analog of StartWithConn.
+func StartRDCleanPathWithConn(conn net.Conn, targetHost string, targetPort uint16, username, password, domain, acceptorUsername string) (*Bridge, error) {
+	dupFd, err := dupConnFD(conn)
+	if err != nil {
+		return nil, fmt.Errorf("rdp bridge: dup client fd: %w", err)
+	}
+	return startWithDupedFD(dupFd, targetHost, targetPort, username, password, domain, acceptorUsername)
+}
+
+// Ownership of dupFd transfers to Rust on success; closed on failure.
+func startWithDupedFD(dupFd int, targetHost string, targetPort uint16, username, password, domain, acceptorUsername string) (*Bridge, error) {
 	success := false
 	defer func() {
 		if !success {
@@ -48,13 +54,18 @@ func startWithDupedFD(dupFd int, targetHost string, targetPort uint16, username,
 	cPass := C.CString(password)
 	defer C.free(unsafe.Pointer(cPass))
 
-	// Empty domain -> NULL pointer; bridge treats both the same way.
 	var cDomain *C.char
 	if domain != "" {
 		cDomain = C.CString(domain)
 		defer C.free(unsafe.Pointer(cDomain))
 	}
 
+	var cAcceptor *C.char
+	if acceptorUsername != "" {
+		cAcceptor = C.CString(acceptorUsername)
+		defer C.free(unsafe.Pointer(cAcceptor))
+	}
+
 	var handle C.uint64_t
 	rc := C.rdp_bridge_start_unix_fd(
 		C.int(dupFd),
@@ -63,6 +74,7 @@ func startWithDupedFD(dupFd int, targetHost string, targetPort uint16, username,
 		cUser,
 		cPass,
 		cDomain,
+		cAcceptor,
 		&handle,
 	)
 	if rc != C.RDP_BRIDGE_OK {
@@ -72,9 +84,17 @@ func startWithDupedFD(dupFd int, targetHost string, targetPort uint16, username,
 	return &Bridge{handle: uint64(handle)}, nil
 }
 
-// Adapts an fd-less Go byte stream to the Rust bridge (which needs a real fd
-// for tokio's TcpStream::from_raw_fd) by routing through a loopback TCP pair.
+// Routes fd-less Go streams through a loopback TCP pair for tokio.
 func StartWithReadWriter(rw io.ReadWriter, targetHost string, targetPort uint16, username, password, domain string) (*Bridge, error) {
+	return startWithReadWriterCommon(rw, targetHost, targetPort, username, password, domain, "")
+}
+
+// Browser-flow analog of StartWithReadWriter.
+func StartRDCleanPathWithReadWriter(rw io.ReadWriter, targetHost string, targetPort uint16, username, password, domain, acceptorUsername string) (*Bridge, error) {
+	return startWithReadWriterCommon(rw, targetHost, targetPort, username, password, domain, acceptorUsername)
+}
+
+func startWithReadWriterCommon(rw io.ReadWriter, targetHost string, targetPort uint16, username, password, domain, acceptorUsername string) (*Bridge, error) {
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return nil, fmt.Errorf("rdp bridge: loopback listen: %w", err)
@@ -109,7 +129,7 @@ func StartWithReadWriter(rw io.ReadWriter, targetHost string, targetPort uint16,
 		return nil, fmt.Errorf("rdp bridge: dup accepted fd: %w", err)
 	}
 
-	bridge, err := startWithDupedFD(dupFd, targetHost, targetPort, username, password, domain)
+	bridge, err := startWithDupedFD(dupFd, targetHost, targetPort, username, password, domain, acceptorUsername)
 	if err != nil {
 		_ = peer.Close()
 		return nil, err

packages/pam/handlers/rdp/bridge_cgo_windows.go

@@ -26,10 +26,20 @@ func StartWithConn(conn net.Conn, targetHost string, targetPort uint16, username
 	if err != nil {
 		return nil, fmt.Errorf("rdp bridge: dup client socket: %w", err)
 	}
-	return startWithDupedSocket(dupSocket, targetHost, targetPort, username, password, domain)
+	return startWithDupedSocket(dupSocket, targetHost, targetPort, username, password, domain, "")
 }
 
-func startWithDupedSocket(dupSocket windows.Handle, targetHost string, targetPort uint16, username, password, domain string) (*Bridge, error) {
+// Browser-flow analog of StartWithConn.
+func StartRDCleanPathWithConn(conn net.Conn, targetHost string, targetPort uint16, username, password, domain, acceptorUsername string) (*Bridge, error) {
+	dupSocket, err := dupConnSocket(conn)
+	if err != nil {
+		return nil, fmt.Errorf("rdp bridge: dup client socket: %w", err)
+	}
+	return startWithDupedSocket(dupSocket, targetHost, targetPort, username, password, domain, acceptorUsername)
+}
+
+// Empty acceptorUsername selects native flow; non-empty selects RDCleanPath.
+func startWithDupedSocket(dupSocket windows.Handle, targetHost string, targetPort uint16, username, password, domain, acceptorUsername string) (*Bridge, error) {
 	success := false
 	defer func() {
 		if !success {
@@ -50,6 +60,12 @@ func startWithDupedSocket(dupSocket windows.Handle, targetHost string, targetPor
 		defer C.free(unsafe.Pointer(cDomain))
 	}
 
+	var cAcceptor *C.char
+	if acceptorUsername != "" {
+		cAcceptor = C.CString(acceptorUsername)
+		defer C.free(unsafe.Pointer(cAcceptor))
+	}
+
 	var handle C.uint64_t
 	rc := C.rdp_bridge_start_windows_socket(
 		C.uintptr_t(dupSocket),
@@ -58,6 +74,7 @@ func startWithDupedSocket(dupSocket windows.Handle, targetHost string, targetPor
 		cUser,
 		cPass,
 		cDomain,
+		cAcceptor,
 		&handle,
 	)
 	if rc != C.RDP_BRIDGE_OK {
@@ -68,6 +85,15 @@ func startWithDupedSocket(dupSocket windows.Handle, targetHost string, targetPor
 }
 
 func StartWithReadWriter(rw io.ReadWriter, targetHost string, targetPort uint16, username, password, domain string) (*Bridge, error) {
+	return startWithReadWriterCommon(rw, targetHost, targetPort, username, password, domain, "")
+}
+
+// Browser-flow analog of StartWithReadWriter.
+func StartRDCleanPathWithReadWriter(rw io.ReadWriter, targetHost string, targetPort uint16, username, password, domain, acceptorUsername string) (*Bridge, error) {
+	return startWithReadWriterCommon(rw, targetHost, targetPort, username, password, domain, acceptorUsername)
+}
+
+func startWithReadWriterCommon(rw io.ReadWriter, targetHost string, targetPort uint16, username, password, domain, acceptorUsername string) (*Bridge, error) {
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		return nil, fmt.Errorf("rdp bridge: loopback listen: %w", err)
@@ -102,7 +128,7 @@ func StartWithReadWriter(rw io.ReadWriter, targetHost string, targetPort uint16,
 		return nil, fmt.Errorf("rdp bridge: dup accepted socket: %w", err)
 	}
 
-	bridge, err := startWithDupedSocket(dupSocket, targetHost, targetPort, username, password, domain)
+	bridge, err := startWithDupedSocket(dupSocket, targetHost, targetPort, username, password, domain, acceptorUsername)
 	if err != nil {
 		_ = peer.Close()
 		return nil, err

packages/pam/handlers/rdp/bridge_stub.go

@@ -17,15 +17,28 @@ func StartWithConn(_ net.Conn, _ string, _ uint16, _, _, _ string) (*Bridge, err
 	return nil, ErrRdpUnavailable
 }
 
+func StartRDCleanPathWithConn(_ net.Conn, _ string, _ uint16, _, _, _, _ string) (*Bridge, error) {
+	return nil, ErrRdpUnavailable
+}
+
 func StartWithReadWriter(_ io.ReadWriter, _ string, _ uint16, _, _, _ string) (*Bridge, error) {
 	return nil, ErrRdpUnavailable
 }
 
+func StartRDCleanPathWithReadWriter(_ io.ReadWriter, _ string, _ uint16, _, _, _, _ string) (*Bridge, error) {
+	return nil, ErrRdpUnavailable
+}
+
 func (p *RDPProxy) HandleConnection(_ context.Context, clientConn net.Conn) error {
 	_ = clientConn.Close()
 	return ErrRdpUnavailable
 }
 
+func (p *RDPProxy) HandleConnectionRDCleanPath(_ context.Context, clientConn net.Conn) error {
+	_ = clientConn.Close()
+	return ErrRdpUnavailable
+}
+
 func (b *Bridge) Wait() error   { return ErrRdpUnavailable }
 func (b *Bridge) Cancel() error { return ErrRdpUnavailable }
 func (b *Bridge) Close() error  { return ErrRdpUnavailable }

packages/pam/handlers/rdp/native/Cargo.toml

@@ -17,6 +17,7 @@ ironrdp-core = "0.1"
 ironrdp-tokio = { version = "0.8", features = ["reqwest"] }
 ironrdp-pdu = "0.7"
 ironrdp-tls = { version = "0.2", features = ["rustls"] }
+ironrdp-rdcleanpath = "0.2"
 x509-cert = { version = "0.2", features = ["std"] }
 libc = "0.2"