mirror of
https://github.com/gravitational/teleport
synced 2024-10-22 02:03:24 +00:00
Update the way auth server extracts server id from identity. (#3417)
Co-authored-by: Russell Jones <russjones@users.noreply.github.com>
This commit is contained in:
parent
72c8a9c49e
commit
976f065027
|
@ -1935,7 +1935,7 @@ func (s *APIServer) emitAuditEvent(auth ClientI, w http.ResponseWriter, r *http.
|
|||
|
||||
// Validate serverID field in event matches server ID from x509 identity. This
|
||||
// check makes sure nodes can only submit events for themselves.
|
||||
serverID, err := getServerID(r)
|
||||
serverID, err := s.getServerID(r)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
@ -1975,7 +1975,7 @@ func (s *APIServer) postSessionSlice(auth ClientI, w http.ResponseWriter, r *htt
|
|||
|
||||
// Validate serverID field in event matches server ID from x509 identity. This
|
||||
// check makes sure nodes can only submit events for themselves.
|
||||
serverID, err := getServerID(r)
|
||||
serverID, err := s.getServerID(r)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
@ -2036,7 +2036,7 @@ func (s *APIServer) uploadSessionRecording(auth ClientI, w http.ResponseWriter,
|
|||
// Validate namespace and serverID fields in the archive match namespace and
|
||||
// serverID of the authenticated client. This check makes sure nodes can
|
||||
// only submit recordings for themselves.
|
||||
serverID, err := getServerID(r)
|
||||
serverID, err := s.getServerID(r)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
@ -2527,18 +2527,26 @@ func (s *APIServer) processKubeCSR(auth ClientI, w http.ResponseWriter, r *http.
|
|||
}
|
||||
|
||||
// getServerID returns the ID of the connected client.
|
||||
func getServerID(r *http.Request) (string, error) {
|
||||
func (s *APIServer) getServerID(r *http.Request) (string, error) {
|
||||
role, ok := r.Context().Value(ContextUser).(BuiltinRole)
|
||||
if !ok {
|
||||
return "", trace.BadParameter("invalid role %T", r.Context().Value(ContextUser))
|
||||
}
|
||||
|
||||
parts := strings.Split(role.Username, ".")
|
||||
if len(parts) == 0 {
|
||||
return "", trace.BadParameter("invalid username: %v", role.Username)
|
||||
clusterName, err := s.AuthServer.GetDomainName()
|
||||
if err != nil {
|
||||
return "", trace.Wrap(err)
|
||||
}
|
||||
|
||||
return parts[0], nil
|
||||
// The username extracted from the node's identity (x.509 certificate)
|
||||
// is expected to consist of "<server-id>.<cluster-name>" so strip the
|
||||
// cluster name suffix to get the server id.
|
||||
//
|
||||
// Note that as of right now Teleport expects server id to be a uuid4
|
||||
// but older Gravity clusters used to override it with strings like
|
||||
// "192_168_1_1.<cluster-name>" so this code can't rely on it being
|
||||
// uuid4 to account for clusters upgraded from older versions.
|
||||
return strings.TrimSuffix(role.Username, "."+clusterName), nil
|
||||
}
|
||||
|
||||
func message(msg string) map[string]interface{} {
|
||||
|
|
|
@ -901,7 +901,7 @@ func (s *TLSSuite) TestValidateUploadSessionRecording(c *check.C) {
|
|||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
clt, err := s.server.NewClient(TestServerID(s.server.Identity.ID.HostUUID))
|
||||
clt, err := s.server.NewClient(TestServerID(serverID))
|
||||
c.Assert(err, check.IsNil)
|
||||
|
||||
sessionID := session.NewID()
|
||||
|
@ -997,7 +997,7 @@ func (s *TLSSuite) TestValidatePostSessionSlice(c *check.C) {
|
|||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
clt, err := s.server.NewClient(TestServerID(s.server.Identity.ID.HostUUID))
|
||||
clt, err := s.server.NewClient(TestServerID(serverID))
|
||||
c.Assert(err, check.IsNil)
|
||||
|
||||
date := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
|
||||
|
|
Loading…
Reference in a new issue