Skip to content

Commit

Permalink
Use cluster name from ServerIdentity for Auth multiplexer
Browse files Browse the repository at this point in the history 
Proxy sends signed PROXY headers using cluster name from ServerIdentity.
If cluster name in file config was changed it didn't match with original cluster name and
auth service couldn't verify Proxy's signed headers.
  • Loading branch information
@AntonAM
AntonAM committed Sep 21, 2023
1 parent c0aeb81 commit 47752b2
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 12 deletions.
7 changes: 0 additions & 7 deletions lib/multiplexer/multiplexer.go
View file
Expand Up @@ -500,13 +500,6 @@ func (m *Mux) detect(conn net.Conn) (*Conn, error) {
}).Warnf("%s - could not get host CA", invalidProxySignatureError)
continue
}
if errors.Is(err, ErrNonLocalCluster) {
m.WithFields(log.Fields{
"src_addr": conn.RemoteAddr(),
"dst_addr": conn.LocalAddr(),
}).Debugf("%s - signed by non local cluster", invalidProxySignatureError)
continue
}
if err != nil {
return nil, trace.Wrap(err, "%s %s -> %s", invalidProxySignatureError, conn.RemoteAddr(), conn.LocalAddr())
}
Expand Down
34 changes: 30 additions & 4 deletions lib/multiplexer/multiplexer_test.go
View file
Expand Up @@ -784,13 +784,13 @@ func TestMux(t *testing.T) {
// If listener for IPv6 will fail to be created we'll skip IPv6 portion of test.
listener6, _ := net.Listen("tcp6", "[::1]:0")

startServing := func(muxListener net.Listener) (*Mux, *httptest.Server) {
startServing := func(muxListener net.Listener, cluster string) (*Mux, *httptest.Server) {
mux, err := New(Config{
Listener: muxListener,
PROXYProtocolMode: PROXYProtocolUnspecified,
CertAuthorityGetter: casGetter,
Clock: clockwork.NewFakeClockAt(time.Now()),
LocalClusterName: clusterName,
LocalClusterName: cluster,
})
require.NoError(t, err)

Expand All @@ -812,14 +812,14 @@ func TestMux(t *testing.T) {
return mux, backend
}

mux4, backend4 := startServing(listener4)
mux4, backend4 := startServing(listener4, clusterName)
defer mux4.Close()
defer backend4.Close()

var backend6 *httptest.Server
var mux6 *Mux
if listener6 != nil {
mux6, backend6 = startServing(listener6)
mux6, backend6 = startServing(listener6, clusterName)
defer mux6.Close()
defer backend6.Close()
}
Expand Down Expand Up @@ -1013,6 +1013,32 @@ func TestMux(t *testing.T) {
require.NoError(t, err)
require.Equal(t, addr1.IP.String()+":0", out)
})
t.Run("PROXY header signed by non local cluster get an error", func(t *testing.T) {
listener, err := net.Listen("tcp", "127.0.0.1:")
require.NoError(t, err)

// start multiplexer with wrong cluster name specified
mux, backend := startServing(listener, "different-cluster")
t.Cleanup(func() {
require.NoError(t, mux.Close())
backend.Close()
})

conn, err := net.Dial("tcp", listener.Addr().String())
require.NoError(t, err)
defer conn.Close()

signedHeader, err := signPROXYHeader(&addr1, &addr2, clusterName, tlsProxyCert, jwtSigner)
require.NoError(t, err)

_, err = conn.Write(signedHeader)
require.NoError(t, err)

clt := tls.Client(conn, clientConfig(backend))

_, err = utils.RoundtripWithConn(clt)
require.Error(t, err)
})
})
}

Expand Down
2 changes: 1 addition & 1 deletion lib/service/service.go
View file
Expand Up @@ -1950,7 +1950,7 @@ func (process *TeleportProcess) initAuthService() error {
Listener: listener,
ID: teleport.Component(process.id),
CertAuthorityGetter: muxCAGetter,
LocalClusterName: clusterName,
LocalClusterName: connector.ServerIdentity.ClusterName,
})
if err != nil {
listener.Close()
Expand Down

0 comments on commit 47752b2

Please sign in to comment.