[v10] Make source IP-pinning and proxy peering enterprise features (#…

…14153) * Make source IP-pinning an enterprise feature * Make proxy peering an enterprise only feature (#14155)
gravitational · Jul 7, 2022 · 9e3912e · 9e3912e
1 parent 6396413
commit 9e3912e
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 5 deletions.
diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx
@@ -58,7 +58,7 @@ spec:
     # if unspecified. If one or more of the user's roles has disabled
     # the clipboard, then it will be disabled.
     desktop_clipboard: true
-    # When enabled, the source IP that was used to log in is embedded in the SSH
+    # enterprise-only: when enabled, the source IP that was used to log in is embedded in the SSH
     # certificate, preventing a compromised certificate from being used on other
     # devices. The default is false.
     pin_source_ip: true

diff --git a/integration/integration_test.go b/integration/integration_test.go
@@ -61,6 +61,7 @@ import (
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/events/filesessions"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/pam"
 	"github.com/gravitational/teleport/lib/reversetunnel"
 	"github.com/gravitational/teleport/lib/service"
@@ -213,6 +214,8 @@ func TestIntegrations(t *testing.T) {
 
 // testDifferentPinnedIP tests connection is rejected when source IP doesn't match the pinned one
 func testDifferentPinnedIP(t *testing.T, suite *integrationTestSuite) {
+	modules.SetTestModules(t, &modules.TestModules{TestBuildType: modules.BuildEnterprise})
+
 	tr := utils.NewTracer(utils.ThisFunction()).Start()
 	defer tr.Stop()
 

diff --git a/integration/proxy_tunnel_strategy_test.go b/integration/proxy_tunnel_strategy_test.go
@@ -29,6 +29,7 @@ import (
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/defaults"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/service"
 	"github.com/gravitational/teleport/lib/srv/db/common"
 	"github.com/gravitational/teleport/lib/srv/db/postgres"
@@ -120,6 +121,11 @@ func TestProxyTunnelStrategyAgentMesh(t *testing.T) {
 
 // TestProxyTunnelStrategyProxyPeering tests the proxy-peer tunnel strategy
 func TestProxyTunnelStrategyProxyPeering(t *testing.T) {
+	modules.SetTestModules(t, &modules.TestModules{
+		TestBuildType: modules.BuildEnterprise,
+		TestFeatures:  modules.Features{DB: true},
+	})
+
 	p := newProxyTunnelStrategy(t, "proxy-tunnel-proxy-peer",
 		&types.TunnelStrategyV1{
 			Strategy: &types.TunnelStrategyV1_ProxyPeering{

diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -3232,6 +3232,15 @@ func (a *ServerWithRoles) SetClusterNetworkingConfig(ctx context.Context, newNet
 		}
 	}
 
+	tst, err := newNetConfig.GetTunnelStrategyType()
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	if tst == types.ProxyPeering &&
+		modules.GetModules().BuildType() != modules.BuildEnterprise {
+		return trace.AccessDenied("proxy peering is an enterprise-only feature")
+	}
+
 	return a.authServer.SetClusterNetworkingConfig(ctx, newNetConfig)
 }
 

diff --git a/lib/auth/native/native.go b/lib/auth/native/native.go
@@ -34,6 +34,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/wrappers"
 	apiutils "github.com/gravitational/teleport/api/utils"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/utils"
 
@@ -228,7 +229,7 @@ func (k *Keygen) GenerateUserCert(c services.UserCertParams) ([]byte, error) {
 const sourceAddress = "source-address"
 
 // GenerateUserCertWithoutValidation generates a user certificate with the
-// passed in parameters without validating them. For use in tests only.
+// passed in parameters without validating them.
 func (k *Keygen) GenerateUserCertWithoutValidation(c services.UserCertParams) ([]byte, error) {
 	pubKey, _, _, _, err := ssh.ParseAuthorizedKey(c.PublicUserKey)
 	if err != nil {
@@ -284,6 +285,9 @@ func (k *Keygen) GenerateUserCertWithoutValidation(c services.UserCertParams) ([
 	}
 
 	if c.SourceIP != "" {
+		if modules.GetModules().BuildType() != modules.BuildEnterprise {
+			return nil, trace.AccessDenied("source IP pinning is only supported in Teleport Enterprise")
+		}
 		if cert.CriticalOptions == nil {
 			cert.CriticalOptions = make(map[string]string)
 		}

diff --git a/lib/service/service.go b/lib/service/service.go
@@ -3025,6 +3025,11 @@ func (process *TeleportProcess) setupProxyListeners(networkingConfig types.Clust
 		tunnelStrategy = types.AgentMesh
 	}
 
+	if tunnelStrategy == types.ProxyPeering &&
+		modules.GetModules().BuildType() != modules.BuildEnterprise {
+		return nil, trace.AccessDenied("proxy peering is an enterprise-only feature")
+	}
+
 	if !cfg.Proxy.DisableReverseTunnel && tunnelStrategy == types.ProxyPeering {
 		addr, err := peerAddr(&process.Config.Proxy.PeerAddr)
 		if err != nil {

diff --git a/rfd/0066-ip-based-validation.md b/rfd/0066-ip-based-validation.md
@@ -1,6 +1,6 @@
 ---
 authors: Przemko Robakowski([email protected])
-state: draft
+state: implemented (Teleport 10.0.0)
 ---
 
 # RFD 66 - IP-based validation
@@ -12,8 +12,9 @@ state: draft
 
 ## What
 
-Additional validation based on client IP for creating and using certificates. Certificate can be used only with the same
-client IP as the one used to generate it.
+IP-based validation is an enterprise-only feature that embeds the source IP
+in SSH certificates. When enabled, SSH certificates can only be used to connect
+to resources from the same source IP that was issued the certificate.
 
 ## Why