Skip to content

Commit

Permalink
Regenerate server identity if APIDomain not present
Browse files Browse the repository at this point in the history
  • Loading branch information
smallinsky committed Mar 9, 2022
1 parent f314e59 commit 09fa7bb
Show file tree
Hide file tree
Showing 4 changed files with 45 additions and 11 deletions.
17 changes: 14 additions & 3 deletions lib/auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -2152,11 +2152,11 @@ func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequ
NotAfter: a.clock.Now().UTC().Add(defaults.CATTL),
DNSNames: append([]string{}, req.AdditionalPrincipals...),
}

// API requests need to specify a DNS name, which must be present in the certificate's DNS Names.
// The target DNS is not always known in advance so we add a default one to all certificates.
if (types.SystemRoles{req.Role}).IncludeAny(types.RoleAuth, types.RoleAdmin, types.RoleProxy, types.RoleKube, types.RoleApp) {
certRequest.DNSNames = append(certRequest.DNSNames, "*."+constants.APIDomain, constants.APIDomain)
}
certRequest.DNSNames = append(certRequest.DNSNames, DefaultDNSNamesForRole(req.Role)...)

// Unlike additional principals, DNS Names is x509 specific and is limited
// to services with TLS endpoints (e.g. auth, proxies, kubernetes)
if (types.SystemRoles{req.Role}).IncludeAny(types.RoleAuth, types.RoleAdmin, types.RoleProxy, types.RoleKube, types.RoleWindowsDesktop) {
Expand Down Expand Up @@ -3764,3 +3764,14 @@ func WithClusterCAs(tlsConfig *tls.Config, ap AccessCache, currentClusterName st
return tlsCopy, nil
}
}

// DefaultDNSNamesForRole returns default DNS names for the specified role.
func DefaultDNSNamesForRole(role types.SystemRole) []string {
if (types.SystemRoles{role}).IncludeAny(types.RoleAuth, types.RoleAdmin, types.RoleProxy, types.RoleKube, types.RoleApp, types.RoleDatabase, types.RoleWindowsDesktop) {
return []string{
"*." + constants.APIDomain,
constants.APIDomain,
}
}
return nil
}
5 changes: 5 additions & 0 deletions lib/service/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -2364,6 +2364,11 @@ func (process *TeleportProcess) getAdditionalPrincipals(role types.SystemRole) (
principals = append(principals, process.Config.Hostname)
}
var addrs []utils.NetAddr

// Add default DNSNames to the dnsNames list.
// For identities generated by teleport <= v6.1.6 the teleport.cluster.local DNS is not present
dnsNames = append(dnsNames, auth.DefaultDNSNamesForRole(role)...)

switch role {
case types.RoleProxy:
addrs = append(process.Config.Proxy.PublicAddrs,
Expand Down
22 changes: 18 additions & 4 deletions lib/service/service_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -347,6 +347,8 @@ func TestGetAdditionalPrincipals(t *testing.T) {
"proxy-kube-public-2",
},
wantDNS: []string{
"*.teleport.cluster.local",
"teleport.cluster.local",
"*.proxy-public-1",
"*.proxy-public-2",
"*.proxy-kube-public-1",
Expand All @@ -360,7 +362,10 @@ func TestGetAdditionalPrincipals(t *testing.T) {
"auth-public-1",
"auth-public-2",
},
wantDNS: []string{},
wantDNS: []string{
"*.teleport.cluster.local",
"teleport.cluster.local",
},
},
{
role: types.RoleAdmin,
Expand All @@ -369,7 +374,10 @@ func TestGetAdditionalPrincipals(t *testing.T) {
"auth-public-1",
"auth-public-2",
},
wantDNS: []string{},
wantDNS: []string{
"*.teleport.cluster.local",
"teleport.cluster.local",
},
},
{
role: types.RoleNode,
Expand All @@ -393,15 +401,21 @@ func TestGetAdditionalPrincipals(t *testing.T) {
"kube-public-1",
"kube-public-2",
},
wantDNS: []string{},
wantDNS: []string{
"*.teleport.cluster.local",
"teleport.cluster.local",
},
},
{
role: types.RoleApp,
wantPrincipals: []string{
"global-hostname",
"global-uuid",
},
wantDNS: []string{},
wantDNS: []string{
"*.teleport.cluster.local",
"teleport.cluster.local",
},
},
{
role: types.SystemRole("unknown"),
Expand Down
12 changes: 8 additions & 4 deletions lib/tlsca/ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,15 @@ import (
"strconv"
"time"

"github.com/gravitational/trace"
"github.com/jonboulle/clockwork"
"github.com/sirupsen/logrus"

"github.com/gravitational/teleport"
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/api/types/events"
"github.com/gravitational/teleport/api/types/wrappers"

"github.com/gravitational/trace"
"github.com/jonboulle/clockwork"
"github.com/sirupsen/logrus"
"github.com/gravitational/teleport/api/utils"
)

var log = logrus.WithFields(logrus.Fields{
Expand Down Expand Up @@ -772,6 +773,9 @@ func (c *CertificateRequest) CheckAndSetDefaults() error {
if c.KeyUsage == 0 {
c.KeyUsage = x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature
}

c.DNSNames = utils.Deduplicate(c.DNSNames)

return nil
}

Expand Down

0 comments on commit 09fa7bb

Please sign in to comment.