Restrict when role request filters apply

gravitational · Mar 19, 2024 · b02574c · b02574c
1 parent 20c155b
commit b02574c
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -33,6 +33,7 @@ import (
 	otlpcommonv1 "go.opentelemetry.io/proto/otlp/common/v1"
 
 	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/api/accessrequest"
 	"github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/constants"
@@ -2608,6 +2609,36 @@ func (a *ServerWithRoles) SubmitAccessReview(ctx context.Context, submission typ
 	return a.authServer.submitAccessReview(ctx, submission, &identity)
 }
 
+func (a *ServerWithRoles) canFilterRequestableRolesByResource(ctx context.Context, req types.AccessCapabilitiesRequest) (bool, error) {
+	if len(req.RequestableResourceIDs) == 0 {
+		return false, nil
+	}
+	currentCluster, err := a.GetClusterName()
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	for _, resourceID := range req.RequestableResourceIDs {
+		if resourceID.ClusterName != currentCluster.GetClusterName() {
+			// Requested resource is from another cluster, so we can't know
+			// all of the roles which would grant access to it.
+			return false, nil
+		}
+	}
+
+	resources, err := accessrequest.GetResourcesByResourceIDs(ctx, a, req.RequestableResourceIDs)
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	for _, resource := range resources {
+		if err := a.context.CheckAccessToResource(resource, types.VerbRead); err != nil {
+			// User doesn't have read access to one or more resources, so returning
+			// requestable roles that rely on it may leak information.
+			return false, nil
+		}
+	}
+	return true, nil
+}
+
 func (a *ServerWithRoles) GetAccessCapabilities(ctx context.Context, req types.AccessCapabilitiesRequest) (*types.AccessCapabilities, error) {
 	// default to checking the capabilities of the caller
 	if req.User == "" {
@@ -2624,6 +2655,14 @@ func (a *ServerWithRoles) GetAccessCapabilities(ctx context.Context, req types.A
 		}
 	}
 
+	canFilter, err := a.canFilterRequestableRolesByResource(ctx, req)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	if !canFilter {
+		req.RequestableResourceIDs = nil
+	}
+
 	return a.authServer.GetAccessCapabilities(ctx, req)
 }
 

diff --git a/tool/tsh/common/tsh.go b/tool/tsh/common/tsh.go
@@ -3254,7 +3254,11 @@ func accessRequestForSSH(ctx context.Context, cf *CLIConf, tc *client.TeleportCl
 		Name:        node.GetName(),
 	}}
 	if cf.RequestMode == accessRequestModeRole {
-		resp, err := clt.AuthClient.GetAccessCapabilities(ctx, types.AccessCapabilitiesRequest{
+		rootClient, err := clt.ConnectToRootCluster(ctx)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		resp, err := rootClient.GetAccessCapabilities(ctx, types.AccessCapabilitiesRequest{
 			RequestableRoles:       true,
 			RequestableResourceIDs: requestResourceIDs,
 			Login:                  tc.HostLogin,