self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-20 17:23:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix missing identity in certs logic (#10673)

Browse source
This commit is contained in:
Brian Joerger 2022-03-03 14:22:23 -08:00 committed by GitHub
parent 896dbbbc47
commit 8d71ba0fc9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/auth/permissions_test.go
View file

@ -66,13 +66,13 @@ func TestAuthorizeWithLocksForLocalUser(t *testing.T) {
})
require.NoError(t, err)
user, _, err := CreateUserAndRole(srv.AuthServer, "test-user", []string{})
user, role, err := CreateUserAndRole(srv.AuthServer, "test-user", []string{})
require.NoError(t, err)
localUser := LocalUser{
Username: user.GetName(),
Identity: tlsca.Identity{
Username: user.GetName(),
Groups: []string{"test-role-1"},
Groups: []string{role.GetName()},
MFAVerified: "mfa-device-id",
ActiveRequests: []string{"test-request"},
},

17
lib/services/role.go
View file

@ -778,9 +778,11 @@ func ExtractFromCertificate(cert *ssh.Certificate) ([]string, wrappers.Traits, e
// which Teleport passes along as a *tlsca.Identity. If roles and traits do not
// exist in the certificates, they are extracted from the backend.
func ExtractFromIdentity(access UserGetter, identity tlsca.Identity) ([]string, wrappers.Traits, error) {
// For legacy certificates, fetch roles and traits from the services.User
// object in the backend.
if missingIdentity(identity) {
// Legacy certs are not encoded with roles or traits,
// so we fallback to the traits and roles in the backend.
// empty traits are a valid use case in standard certs,
// so we only check for whether roles are empty.
if len(identity.Groups) == 0 {
u, err := access.GetUser(identity.Username, false)
if err != nil {
return nil, nil, trace.Wrap(err)
@ -823,15 +825,6 @@ func FetchRoles(roleNames []string, access RoleGetter, traits map[string][]strin
return NewRoleSet(roles...), nil
}
// missingIdentity returns true if the identity is missing or the identity
// has no roles or traits.
func missingIdentity(identity tlsca.Identity) bool {
if len(identity.Groups) == 0 || len(identity.Traits) == 0 {
return true
}
return false
}
// ExtractRolesFromCert extracts roles from certificate metadata extensions.
func ExtractRolesFromCert(cert *ssh.Certificate) ([]string, error) {
data, ok := cert.Extensions[teleport.CertExtensionTeleportRoles]