From 47752b2d832c77fae436f190e77aa36bb482c9cc Mon Sep 17 00:00:00 2001 From: Anton Miniailo Date: Thu, 21 Sep 2023 16:38:36 -0400 Subject: [PATCH] Use cluster name from ServerIdentity for Auth multiplexer Proxy sends signed PROXY headers using cluster name from ServerIdentity. If cluster name in file config was changed it didn't match with original cluster name and auth service couldn't verify Proxy's signed headers. --- lib/multiplexer/multiplexer.go | 7 ------ lib/multiplexer/multiplexer_test.go | 34 +++++++++++++++++++++++++---- lib/service/service.go | 2 +- 3 files changed, 31 insertions(+), 12 deletions(-) diff --git a/lib/multiplexer/multiplexer.go b/lib/multiplexer/multiplexer.go index 1efe642823f9b..d6cd0533df4d6 100644 --- a/lib/multiplexer/multiplexer.go +++ b/lib/multiplexer/multiplexer.go @@ -500,13 +500,6 @@ func (m *Mux) detect(conn net.Conn) (*Conn, error) { }).Warnf("%s - could not get host CA", invalidProxySignatureError) continue } - if errors.Is(err, ErrNonLocalCluster) { - m.WithFields(log.Fields{ - "src_addr": conn.RemoteAddr(), - "dst_addr": conn.LocalAddr(), - }).Debugf("%s - signed by non local cluster", invalidProxySignatureError) - continue - } if err != nil { return nil, trace.Wrap(err, "%s %s -> %s", invalidProxySignatureError, conn.RemoteAddr(), conn.LocalAddr()) } diff --git a/lib/multiplexer/multiplexer_test.go b/lib/multiplexer/multiplexer_test.go index 746485bdaa764..fe5fe2852ccda 100644 --- a/lib/multiplexer/multiplexer_test.go +++ b/lib/multiplexer/multiplexer_test.go @@ -784,13 +784,13 @@ func TestMux(t *testing.T) { // If listener for IPv6 will fail to be created we'll skip IPv6 portion of test. listener6, _ := net.Listen("tcp6", "[::1]:0") - startServing := func(muxListener net.Listener) (*Mux, *httptest.Server) { + startServing := func(muxListener net.Listener, cluster string) (*Mux, *httptest.Server) { mux, err := New(Config{ Listener: muxListener, PROXYProtocolMode: PROXYProtocolUnspecified, CertAuthorityGetter: casGetter, Clock: clockwork.NewFakeClockAt(time.Now()), - LocalClusterName: clusterName, + LocalClusterName: cluster, }) require.NoError(t, err) @@ -812,14 +812,14 @@ func TestMux(t *testing.T) { return mux, backend } - mux4, backend4 := startServing(listener4) + mux4, backend4 := startServing(listener4, clusterName) defer mux4.Close() defer backend4.Close() var backend6 *httptest.Server var mux6 *Mux if listener6 != nil { - mux6, backend6 = startServing(listener6) + mux6, backend6 = startServing(listener6, clusterName) defer mux6.Close() defer backend6.Close() } @@ -1013,6 +1013,32 @@ func TestMux(t *testing.T) { require.NoError(t, err) require.Equal(t, addr1.IP.String()+":0", out) }) + t.Run("PROXY header signed by non local cluster get an error", func(t *testing.T) { + listener, err := net.Listen("tcp", "127.0.0.1:") + require.NoError(t, err) + + // start multiplexer with wrong cluster name specified + mux, backend := startServing(listener, "different-cluster") + t.Cleanup(func() { + require.NoError(t, mux.Close()) + backend.Close() + }) + + conn, err := net.Dial("tcp", listener.Addr().String()) + require.NoError(t, err) + defer conn.Close() + + signedHeader, err := signPROXYHeader(&addr1, &addr2, clusterName, tlsProxyCert, jwtSigner) + require.NoError(t, err) + + _, err = conn.Write(signedHeader) + require.NoError(t, err) + + clt := tls.Client(conn, clientConfig(backend)) + + _, err = utils.RoundtripWithConn(clt) + require.Error(t, err) + }) }) } diff --git a/lib/service/service.go b/lib/service/service.go index 0260ef732dd9d..78921c8f0d265 100644 --- a/lib/service/service.go +++ b/lib/service/service.go @@ -1950,7 +1950,7 @@ func (process *TeleportProcess) initAuthService() error { Listener: listener, ID: teleport.Component(process.id), CertAuthorityGetter: muxCAGetter, - LocalClusterName: clusterName, + LocalClusterName: connector.ServerIdentity.ClusterName, }) if err != nil { listener.Close()