mirror of
https://github.com/gravitational/teleport
synced 2024-10-22 02:03:24 +00:00
Database Agent - remove Support for UserCA (#23758)
This commit is contained in:
parent
9a0a8bae58
commit
bf695e0cb4
File diff suppressed because it is too large
Load diff
|
@ -950,11 +950,8 @@ message DatabaseCSRRequest {
|
|||
bytes CSR = 1 [(gogoproto.jsontag) = "csr"];
|
||||
// ClusterName is the name of the cluster the request is for.
|
||||
string ClusterName = 2 [(gogoproto.jsontag) = "cluster_name"];
|
||||
// SignWithDatabaseCA if set to true will use Database CA to sign the created certificate.
|
||||
// This flag was created to enable Database CA for new proxies and don't break old one that
|
||||
// are still using UserCA.
|
||||
// DELETE IN 11.0.
|
||||
bool SignWithDatabaseCA = 3 [(gogoproto.jsontag) = "sign_with_database_ca"];
|
||||
// SignWithDatabaseCA deprecated.
|
||||
reserved 3;
|
||||
}
|
||||
|
||||
// DatabaseCSRResponse contains the signed database certificate.
|
||||
|
|
|
@ -188,17 +188,9 @@ func (s *Server) SignDatabaseCSR(ctx context.Context, req *proto.DatabaseCSRRequ
|
|||
// Get the correct cert TTL based on roles.
|
||||
ttl := roles.AdjustSessionTTL(apidefaults.CertDuration)
|
||||
|
||||
caType := types.UserCA
|
||||
if req.SignWithDatabaseCA {
|
||||
// Field SignWithDatabaseCA was added in Teleport 10 when DatabaseCA was introduced.
|
||||
// Previous Teleport versions used UserCA, and we still need to sign certificates with UserCA
|
||||
// for compatibility reason. Teleport 10+ expects request signed with DatabaseCA.
|
||||
caType = types.DatabaseCA
|
||||
}
|
||||
|
||||
// Generate the TLS certificate.
|
||||
ca, err := s.GetCertAuthority(ctx, types.CertAuthID{
|
||||
Type: caType,
|
||||
Type: types.DatabaseCA,
|
||||
DomainName: clusterName.GetClusterName(),
|
||||
}, true)
|
||||
if err != nil {
|
||||
|
|
|
@ -571,30 +571,20 @@ func getLeafClusterCAs(ctx context.Context, srv *Server, domainName string, vali
|
|||
// getCATypesForLeaf returns the list of CA certificates that should be sync in response to ValidateTrustedClusterRequest.
|
||||
func getCATypesForLeaf(validateRequest *ValidateTrustedClusterRequest) ([]types.CertAuthType, error) {
|
||||
var (
|
||||
err error
|
||||
databaseCASupported bool
|
||||
openSSHCASupported bool
|
||||
err error
|
||||
openSSHCASupported bool
|
||||
)
|
||||
|
||||
if validateRequest.TeleportVersion != "" {
|
||||
// (*ValidateTrustedClusterRequest).TeleportVersion was added in Teleport 10.0. If the request comes from an older
|
||||
// cluster this field will be empty.
|
||||
databaseCASupported, err = utils.MinVerWithoutPreRelease(validateRequest.TeleportVersion, constants.DatabaseCAMinVersion)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err, "failed to parse Teleport version: %q", validateRequest.TeleportVersion)
|
||||
}
|
||||
openSSHCASupported, err = utils.MinVerWithoutPreRelease(validateRequest.TeleportVersion, constants.OpenSSHCAMinVersion)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err, "failed to parse Teleport version: %q", validateRequest.TeleportVersion)
|
||||
}
|
||||
}
|
||||
|
||||
certTypes := []types.CertAuthType{types.HostCA, types.UserCA}
|
||||
if databaseCASupported {
|
||||
// Database CA was introduced in Teleport 10.0. Do not send it to older clusters
|
||||
// as they don't understand it.
|
||||
certTypes = append(certTypes, types.DatabaseCA)
|
||||
}
|
||||
certTypes := []types.CertAuthType{types.HostCA, types.UserCA, types.DatabaseCA}
|
||||
if openSSHCASupported {
|
||||
// OpenSSH CA was introduced in Teleport 12.0. Do not send it to older clusters
|
||||
// as they don't understand it.
|
||||
|
|
|
@ -360,7 +360,7 @@ func TestValidateTrustedCluster(t *testing.T) {
|
|||
require.Equal(t, localClusterName, osshCAs[0].GetName())
|
||||
})
|
||||
|
||||
t.Run("only Host and User CA are returned for v9", func(t *testing.T) {
|
||||
t.Run("Host User and Database CA are returned by default", func(t *testing.T) {
|
||||
leafClusterCA := types.CertAuthority(suite.NewTestCA(types.HostCA, "leafcluster"))
|
||||
resp, err := a.validateTrustedCluster(ctx, &ValidateTrustedClusterRequest{
|
||||
Token: validToken,
|
||||
|
@ -369,10 +369,10 @@ func TestValidateTrustedCluster(t *testing.T) {
|
|||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
require.Len(t, resp.CAs, 2)
|
||||
require.Len(t, resp.CAs, 3)
|
||||
require.ElementsMatch(t,
|
||||
[]types.CertAuthType{types.HostCA, types.UserCA},
|
||||
[]types.CertAuthType{resp.CAs[0].GetType(), resp.CAs[1].GetType()},
|
||||
[]types.CertAuthType{types.HostCA, types.UserCA, types.DatabaseCA},
|
||||
[]types.CertAuthType{resp.CAs[0].GetType(), resp.CAs[1].GetType(), resp.CAs[2].GetType()},
|
||||
)
|
||||
})
|
||||
|
||||
|
|
|
@ -33,7 +33,6 @@ import (
|
|||
|
||||
"github.com/gravitational/teleport"
|
||||
"github.com/gravitational/teleport/api/client/proto"
|
||||
"github.com/gravitational/teleport/api/constants"
|
||||
apidefaults "github.com/gravitational/teleport/api/defaults"
|
||||
"github.com/gravitational/teleport/api/types"
|
||||
apiutils "github.com/gravitational/teleport/api/utils"
|
||||
|
@ -581,18 +580,9 @@ func (s *ProxyServer) getConfigForServer(ctx context.Context, identity tlsca.Ide
|
|||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
||||
// DatabaseCA was introduced in Teleport 10. Older versions require database certificate signed
|
||||
// with UserCA where Teleport 10+ uses DatabaseCA.
|
||||
ver10orAbove, err := utils.MinVerWithoutPreRelease(server.GetTeleportVersion(), constants.DatabaseCAMinVersion)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err, "failed to parse Teleport version: %q", server.GetTeleportVersion())
|
||||
}
|
||||
|
||||
response, err := s.cfg.AuthClient.SignDatabaseCSR(ctx, &proto.DatabaseCSRRequest{
|
||||
CSR: csr,
|
||||
ClusterName: identity.RouteToCluster,
|
||||
// TODO: Remove in Teleport 11.
|
||||
SignWithDatabaseCA: ver10orAbove,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
|
|
|
@ -380,9 +380,11 @@ func New(ctx context.Context, config Config) (*Server, error) {
|
|||
// Update TLS config to require client certificate.
|
||||
server.cfg.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
server.cfg.TLSConfig.GetConfigForClient = getConfigForClient(
|
||||
server.cfg.TLSConfig, server.cfg.AccessPoint, server.log,
|
||||
// TODO: Remove UserCA in Teleport 11.
|
||||
types.UserCA, types.DatabaseCA)
|
||||
server.cfg.TLSConfig,
|
||||
server.cfg.AccessPoint,
|
||||
server.log,
|
||||
types.DatabaseCA,
|
||||
)
|
||||
|
||||
return server, nil
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue