Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v9] Fix meaning of bot_name in bot join tokens (#11039) #11047

Merged
merged 1 commit into from
Mar 10, 2022
Merged

[v9] Fix meaning of bot_name in bot join tokens (#11039) #11047

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions lib/auth/bot.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -242,7 +242,7 @@ func (s *Server) getBotUsers(ctx context.Context) ([]types.User, error) {
// random dynamic provision token which allows bots to join with the given
// botName. Returns the token and any error.
func (s *Server) checkOrCreateBotToken(ctx context.Context, req *proto.CreateBotRequest) (types.ProvisionToken, error) {
resourceName := BotResourceName(req.Name)
botName := req.Name

// if the request includes a TokenID it should already exist
if req.TokenID != "" {
Expand All @@ -258,9 +258,9 @@ func (s *Server) checkOrCreateBotToken(ctx context.Context, req *proto.CreateBot
return nil, trace.BadParameter("token %q is not valid for role %q",
req.TokenID, types.RoleBot)
}
if provisionToken.GetBotName() != resourceName {
if provisionToken.GetBotName() != botName {
return nil, trace.BadParameter("token %q is valid for bot with name %q, not %q",
req.TokenID, provisionToken.GetBotName(), resourceName)
req.TokenID, provisionToken.GetBotName(), botName)
}
switch provisionToken.GetJoinMethod() {
case types.JoinMethodToken, types.JoinMethodIAM:
Expand All @@ -286,7 +286,7 @@ func (s *Server) checkOrCreateBotToken(ctx context.Context, req *proto.CreateBot
tokenSpec := types.ProvisionTokenSpecV2{
Roles: []types.SystemRole{types.RoleBot},
JoinMethod: types.JoinMethodToken,
BotName: resourceName,
BotName: botName,
}
token, err := types.NewProvisionTokenFromSpec(tokenName, time.Now().Add(ttl), tokenSpec)
if err != nil {
Expand Down
7 changes: 5 additions & 2 deletions lib/auth/join.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,10 @@ func (a *Server) generateCerts(ctx context.Context, provisionToken types.Provisi
if req.Role == types.RoleBot {
// bots use this endpoint but get a user cert
// botResourceName must be set, enforced in CheckAndSetDefaults
botResourceName := provisionToken.GetBotName()
botName := provisionToken.GetBotName()

// Append `bot-` to the bot name to derive its username.
botResourceName := BotResourceName(botName)
expires := a.GetClock().Now().Add(defaults.DefaultRenewableCertTTL)

joinMethod := provisionToken.GetJoinMethod()
Expand Down Expand Up @@ -141,7 +144,7 @@ func (a *Server) generateCerts(ctx context.Context, provisionToken types.Provisi
return nil, trace.BadParameter("unsupported join method %q for bot", joinMethod)
}

log.Infof("Bot %q has joined the cluster.", botResourceName)
log.Infof("Bot %q has joined the cluster.", botName)
return certs, nil
}
// generate and return host certificate and keys
Expand Down
15 changes: 9 additions & 6 deletions lib/auth/join_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,11 +254,11 @@ func TestAuth_RegisterUsingToken(t *testing.T) {
}
}

func newBotToken(t *testing.T, tokenName, user string, role types.SystemRole, expiry time.Time) types.ProvisionToken {
func newBotToken(t *testing.T, tokenName, botName string, role types.SystemRole, expiry time.Time) types.ProvisionToken {
t.Helper()
token, err := types.NewProvisionTokenFromSpec(tokenName, expiry, types.ProvisionTokenSpecV2{
Roles: []types.SystemRole{role},
BotName: user,
BotName: botName,
})
require.NoError(t, err, "could not create bot token")
return token
Expand All @@ -271,19 +271,22 @@ func TestRegister_Bot(t *testing.T) {

srv := newTestTLSServer(t)

botName := "test"
botResourceName := BotResourceName(botName)

_, err := createBotRole(context.Background(), srv.Auth(), "test", "bot-test", []string{})
require.NoError(t, err)

user, err := createBotUser(context.Background(), srv.Auth(), "test", "bot-test")
_, err = createBotUser(context.Background(), srv.Auth(), botName, botResourceName)
require.NoError(t, err)

later := srv.Clock().Now().Add(4 * time.Hour)

goodToken := newBotToken(t, "good-token", user.GetName(), types.RoleBot, later)
expiredToken := newBotToken(t, "expired", user.GetName(), types.RoleBot, srv.Clock().Now().Add(-1*time.Hour))
goodToken := newBotToken(t, "good-token", botName, types.RoleBot, later)
expiredToken := newBotToken(t, "expired", botName, types.RoleBot, srv.Clock().Now().Add(-1*time.Hour))
wrongKind := newBotToken(t, "wrong-kind", "", types.RoleNode, later)
wrongUser := newBotToken(t, "wrong-user", "llama", types.RoleBot, later)
invalidToken := newBotToken(t, "this-token-does-not-exist", user.GetName(), types.RoleBot, later)
invalidToken := newBotToken(t, "this-token-does-not-exist", botName, types.RoleBot, later)

err = srv.Auth().UpsertToken(context.Background(), goodToken)
require.NoError(t, err)
Expand Down