mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 17:23:22 +00:00
Fix missing identity in certs logic (#10673)
This commit is contained in:
parent
896dbbbc47
commit
8d71ba0fc9
|
@ -66,13 +66,13 @@ func TestAuthorizeWithLocksForLocalUser(t *testing.T) {
|
|||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
user, _, err := CreateUserAndRole(srv.AuthServer, "test-user", []string{})
|
||||
user, role, err := CreateUserAndRole(srv.AuthServer, "test-user", []string{})
|
||||
require.NoError(t, err)
|
||||
localUser := LocalUser{
|
||||
Username: user.GetName(),
|
||||
Identity: tlsca.Identity{
|
||||
Username: user.GetName(),
|
||||
Groups: []string{"test-role-1"},
|
||||
Groups: []string{role.GetName()},
|
||||
MFAVerified: "mfa-device-id",
|
||||
ActiveRequests: []string{"test-request"},
|
||||
},
|
||||
|
|
|
@ -778,9 +778,11 @@ func ExtractFromCertificate(cert *ssh.Certificate) ([]string, wrappers.Traits, e
|
|||
// which Teleport passes along as a *tlsca.Identity. If roles and traits do not
|
||||
// exist in the certificates, they are extracted from the backend.
|
||||
func ExtractFromIdentity(access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error) {
|
||||
// For legacy certificates, fetch roles and traits from the services.User
|
||||
// object in the backend.
|
||||
if missingIdentity(identity) {
|
||||
// Legacy certs are not encoded with roles or traits,
|
||||
// so we fallback to the traits and roles in the backend.
|
||||
// empty traits are a valid use case in standard certs,
|
||||
// so we only check for whether roles are empty.
|
||||
if len(identity.Groups) == 0 {
|
||||
u, err := access.GetUser(identity.Username, false)
|
||||
if err != nil {
|
||||
return nil, nil, trace.Wrap(err)
|
||||
|
@ -823,15 +825,6 @@ func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]strin
|
|||
return NewRoleSet(roles...), nil
|
||||
}
|
||||
|
||||
// missingIdentity returns true if the identity is missing or the identity
|
||||
// has no roles or traits.
|
||||
func missingIdentity(identity tlsca.Identity) bool {
|
||||
if len(identity.Groups) == 0 || len(identity.Traits) == 0 {
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// ExtractRolesFromCert extracts roles from certificate metadata extensions.
|
||||
func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error) {
|
||||
data, ok := cert.Extensions[teleport.CertExtensionTeleportRoles]
|
||||
|
|
Loading…
Reference in a new issue