Windows user creation

api/proto/teleport/legacy/types/types.proto

@@ -2368,6 +2368,13 @@ message RoleOptions {
   // IDP is a set of options related to accessing IdPs within Teleport.
   // Requires Teleport Enterprise.
   IdPOptions IDP = 25 [(gogoproto.jsontag) = "idp,omitempty"];
+
+  // CreateDesktopUser allows users to be automatically created on a Windows desktop
+  BoolValue CreateDesktopUser = 26 [
+    (gogoproto.nullable) = true,
+    (gogoproto.jsontag) = "create_desktop_user",
+    (gogoproto.customtype) = "BoolOption"
+  ];
 }
 
 message RecordSession {
@@ -2536,6 +2543,9 @@ message RoleConditions {
     (gogoproto.jsontag) = "db_service_labels,omitempty",
     (gogoproto.customtype) = "Labels"
   ];
+
+  // DesktopGroups is a list of groups for created desktop users to be added to
+  repeated string DesktopGroups = 27 [(gogoproto.jsontag) = "desktop_groups,omitempty"];
 }
 
 // KubernetesResource is the Kubernetes resource identifier.

api/types/role.go

@@ -205,6 +205,11 @@ type Role interface {
 	// SetHostGroups sets the list of groups this role is put in when users are provisioned
 	SetHostGroups(RoleConditionType, []string)
 
+	// GetDesktopGroups gets the list of groups this role is put in when desktop users are provisioned
+	GetDesktopGroups(RoleConditionType) []string
+	// SetDesktopGroups sets the list of groups this role is put in when desktop users are provisioned
+	SetDesktopGroups(RoleConditionType, []string)
+
 	// GetHostSudoers gets the list of sudoers entries for the role
 	GetHostSudoers(RoleConditionType) []string
 	// SetHostSudoers sets the list of sudoers entries for the role
@@ -215,7 +220,7 @@ type Role interface {
 
 	// GetDatabaseServiceLabels gets the map of db service labels this role is allowed or denied access to.
 	GetDatabaseServiceLabels(RoleConditionType) Labels
-	// SetDatabaseLabels sets the map of db service labels this role is allowed or denied access to.
+	// SetDatabaseServiceLabels sets the map of db service labels this role is allowed or denied access to.
 	SetDatabaseServiceLabels(RoleConditionType, Labels)
 }
 
@@ -714,7 +719,7 @@ func (r *RoleV6) SetRules(rct RoleConditionType, in []Rule) {
 	}
 }
 
-// GetGroups gets all groups for provisioned user
+// GetHostGroups gets all groups for provisioned user
 func (r *RoleV6) GetHostGroups(rct RoleConditionType) []string {
 	if rct == Allow {
 		return r.Spec.Allow.HostGroups
@@ -732,6 +737,24 @@ func (r *RoleV6) SetHostGroups(rct RoleConditionType, groups []string) {
 	}
 }
 
+// GetDesktopGroups gets all groups for provisioned user
+func (r *RoleV6) GetDesktopGroups(rct RoleConditionType) []string {
+	if rct == Allow {
+		return r.Spec.Allow.DesktopGroups
+	}
+	return r.Spec.Deny.DesktopGroups
+}
+
+// SetDesktopGroups sets all groups for provisioned user
+func (r *RoleV6) SetDesktopGroups(rct RoleConditionType, groups []string) {
+	ncopy := utils.CopyStrings(groups)
+	if rct == Allow {
+		r.Spec.Allow.DesktopGroups = ncopy
+	} else {
+		r.Spec.Deny.DesktopGroups = ncopy
+	}
+}
+
 // GetHostSudoers gets the list of sudoers entries for the role
 func (r *RoleV6) GetHostSudoers(rct RoleConditionType) []string {
 	if rct == Allow {
@@ -808,6 +831,9 @@ func (r *RoleV6) CheckAndSetDefaults() error {
 	if r.Spec.Options.CreateHostUser == nil {
 		r.Spec.Options.CreateHostUser = NewBoolOption(false)
 	}
+	if r.Spec.Options.CreateDesktopUser == nil {
+		r.Spec.Options.CreateDesktopUser = NewBoolOption(false)
+	}
 	if r.Spec.Options.SSHFileCopy == nil {
 		r.Spec.Options.SSHFileCopy = NewBoolOption(true)
 	}

lib/auth/windows/windows.go

@@ -21,6 +21,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"time"
@@ -30,6 +31,7 @@ import (
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/services"
+	"github.com/gravitational/teleport/lib/tlsca"
 )
 
 const (
@@ -46,6 +48,20 @@ type certRequest struct {
 	keyDER      []byte
 }
 
+func createUsersExtension(createUser bool, groups []string) (pkix.Extension, error) {
+	value, err := json.Marshal(struct {
+		CreateUser bool
+		Groups     []string
+	}{createUser, groups})
+	if err != nil {
+		return pkix.Extension{}, trace.Wrap(err)
+	}
+	return pkix.Extension{
+		Id:    tlsca.CreateUserOID,
+		Value: value,
+	}, nil
+}
+
 func getCertRequest(req *GenerateCredentialsRequest) (*certRequest, error) {
 	// Important: rdpclient currently only supports 2048-bit RSA keys.
 	// If you switch the key type here, update handle_general_authentication in
@@ -64,6 +80,10 @@ func getCertRequest(req *GenerateCredentialsRequest) (*certRequest, error) {
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+	createUser, err := createUsersExtension(req.CreateUser, req.Groups)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
 	csr := &x509.CertificateRequest{
 		Subject: pkix.Name{CommonName: req.Username},
 		// We have to pass SAN and ExtKeyUsage as raw extensions because
@@ -75,6 +95,7 @@ func getCertRequest(req *GenerateCredentialsRequest) (*certRequest, error) {
 		ExtraExtensions: []pkix.Extension{
 			EnhancedKeyUsageExtension,
 			san,
+			createUser,
 		},
 	}
 
@@ -145,6 +166,10 @@ type GenerateCredentialsRequest struct {
 	// CAType is the certificate authority type used to generate the certificate.
 	// This is used to proper generate the CRL LDAP path.
 	CAType types.CertAuthType
+	// CreateUser specifies if Windows user should be created if missing
+	CreateUser bool
+	// Groups are groups that user should be member of
+	Groups []string
 }
 
 // GenerateWindowsDesktopCredentials generates a private key / certificate pair for the given

lib/services/access_checker.go

@@ -192,6 +192,9 @@ type AccessChecker interface {
 	// a role disallows host user creation
 	HostUsers(types.Server) (*HostUsersInfo, error)
 
+	// DesktopGroups returns desktop groups matching a desktop or nil if a role disallows desktop user creation
+	DesktopGroups(types.WindowsDesktop) ([]string, error)
+
 	// PinSourceIP forces the same client IP for certificate generation and SSH usage
 	PinSourceIP() bool
 

lib/services/role.go

@@ -411,6 +411,9 @@ func ApplyTraits(r types.Role, traits map[string][]string) types.Role {
 		r.SetHostSudoers(condition,
 			applyValueTraitsSlice(r.GetHostSudoers(condition), traits, "host_sudoers"))
 
+		r.SetDesktopGroups(condition,
+			applyValueTraitsSlice(r.GetDesktopGroups(condition), traits, "desktop_groups"))
+
 		options := r.GetOptions()
 		for i, ext := range options.CertExtensions {
 			vals, err := ApplyValueTraits(ext.Value, traits)
@@ -2703,6 +2706,45 @@ func (set RoleSet) EnhancedRecordingSet() map[string]bool {
 	return m
 }
 
+// DesktopGroups returns desktop groups matching a desktop or nil if a role disallows desktop user creation
+func (set RoleSet) DesktopGroups(s types.WindowsDesktop) ([]string, error) {
+	groups := make(map[string]struct{})
+	desktop := s.GetAllLabels()
+	for _, role := range set {
+		result, _, err := MatchLabels(role.GetNodeLabels(types.Allow), desktop)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		// skip nodes that dont have matching labels
+		if !result {
+			continue
+		}
+		createDesktopUser := role.GetOptions().CreateDesktopUser
+		// if any of the matching roles do not enable create host
+		// user, the user should not be allowed on
+		if createDesktopUser == nil || !createDesktopUser.Value {
+			return nil, trace.AccessDenied("user is not allowed to create host users")
+		}
+		for _, group := range role.GetDesktopGroups(types.Allow) {
+			groups[group] = struct{}{}
+		}
+	}
+	for _, role := range set {
+		result, _, err := MatchLabels(role.GetNodeLabels(types.Deny), desktop)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		if !result {
+			continue
+		}
+		for _, group := range role.GetDesktopGroups(types.Deny) {
+			delete(groups, group)
+		}
+	}
+
+	return utils.StringsSliceFromSet(groups), nil
+}
+
 // HostUsers returns host user information matching a server or nil if
 // a role disallows host user creation
 func (set RoleSet) HostUsers(s types.Server) (*HostUsersInfo, error) {

lib/services/role_test.go

@@ -234,6 +234,7 @@ func TestRoleParse(t *testing.T) {
 						BPF:                     apidefaults.EnhancedEvents(),
 						DesktopClipboard:        types.NewBoolOption(true),
 						DesktopDirectorySharing: types.NewBoolOption(true),
+						CreateDesktopUser:       types.NewBoolOption(false),
 						CreateHostUser:          types.NewBoolOption(false),
 						SSHFileCopy:             types.NewBoolOption(true),
 						IDP: &types.IdPOptions{
@@ -285,6 +286,7 @@ func TestRoleParse(t *testing.T) {
 						BPF:                     apidefaults.EnhancedEvents(),
 						DesktopClipboard:        types.NewBoolOption(true),
 						DesktopDirectorySharing: types.NewBoolOption(true),
+						CreateDesktopUser:       types.NewBoolOption(false),
 						CreateHostUser:          types.NewBoolOption(false),
 						SSHFileCopy:             types.NewBoolOption(true),
 						IDP: &types.IdPOptions{
@@ -375,6 +377,7 @@ func TestRoleParse(t *testing.T) {
 						BPF:                     apidefaults.EnhancedEvents(),
 						DesktopClipboard:        types.NewBoolOption(true),
 						DesktopDirectorySharing: types.NewBoolOption(true),
+						CreateDesktopUser:       types.NewBoolOption(false),
 						CreateHostUser:          types.NewBoolOption(false),
 						SSHFileCopy:             types.NewBoolOption(false),
 						IDP: &types.IdPOptions{
@@ -480,6 +483,7 @@ func TestRoleParse(t *testing.T) {
 						BPF:                     apidefaults.EnhancedEvents(),
 						DesktopClipboard:        types.NewBoolOption(true),
 						DesktopDirectorySharing: types.NewBoolOption(true),
+						CreateDesktopUser:       types.NewBoolOption(false),
 						CreateHostUser:          types.NewBoolOption(false),
 						SSHFileCopy:             types.NewBoolOption(true),
 						IDP: &types.IdPOptions{
@@ -572,6 +576,7 @@ func TestRoleParse(t *testing.T) {
 						BPF:                     apidefaults.EnhancedEvents(),
 						DesktopClipboard:        types.NewBoolOption(true),
 						DesktopDirectorySharing: types.NewBoolOption(true),
+						CreateDesktopUser:       types.NewBoolOption(false),
 						CreateHostUser:          types.NewBoolOption(false),
 						SSHFileCopy:             types.NewBoolOption(true),
 						IDP: &types.IdPOptions{

lib/srv/desktop/windows_server.go

@@ -455,7 +455,7 @@ func (s *WindowsService) tlsConfigForLDAP() (*tls.Config, error) {
 		using to sign in. This is set to become a strict requirement by May 2023,
 		please update your configuration file before then.`)
 	}
-	certDER, keyDER, err := s.generateCredentials(s.closeCtx, user, s.cfg.Domain, windowsDesktopServiceCertTTL, s.cfg.SID)
+	certDER, keyDER, err := s.generateCredentials(s.closeCtx, user, s.cfg.Domain, windowsDesktopServiceCertTTL, s.cfg.SID, false, nil)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -857,10 +857,19 @@ func (s *WindowsService) connectRDP(ctx context.Context, log logrus.FieldLogger,
 	tdpConn.OnRecv = s.makeTDPReceiveHandler(ctx, sw, delay, &identity, string(sessionID), desktop.GetAddr(), tdpConn)
 
 	sessionStartTime := s.cfg.Clock.Now().UTC().Round(time.Millisecond)
+	groups, err := authCtx.Checker.DesktopGroups(desktop)
+	if err != nil && !trace.IsAccessDenied(err) {
+		s.onSessionStart(ctx, sw, &identity, sessionStartTime, windowsUser, string(sessionID), desktop, err)
+		return trace.Wrap(err)
+	}
+	var createUsers bool
+	if err == nil {
+		createUsers = true
+	}
 	rdpc, err := rdpclient.New(rdpclient.Config{
 		Log: log,
 		GenerateUserCert: func(ctx context.Context, username string, ttl time.Duration) (certDER, keyDER []byte, err error) {
-			return s.generateUserCert(ctx, username, ttl, desktop)
+			return s.generateUserCert(ctx, username, ttl, desktop, createUsers, groups)
 		},
 		CertTTL:               windows.CertTTL,
 		Addr:                  desktop.GetAddr(),
@@ -1097,7 +1106,7 @@ func timer() func() int64 {
 
 // generateUserCert generates a keypair for the given Windows username,
 // optionally querying LDAP for the user's Security Identifier.
-func (s *WindowsService) generateUserCert(ctx context.Context, username string, ttl time.Duration, desktop types.WindowsDesktop) (certDER, keyDER []byte, err error) {
+func (s *WindowsService) generateUserCert(ctx context.Context, username string, ttl time.Duration, desktop types.WindowsDesktop, createUsers bool, groups []string) (certDER, keyDER []byte, err error) {
 	var activeDirectorySID string
 	if !desktop.NonAD() {
 		// Find the user's SID
@@ -1130,15 +1139,15 @@ func (s *WindowsService) generateUserCert(ctx context.Context, username string,
 		}
 		s.cfg.Log.Debugf("Found objectSid %v for Windows username %v", activeDirectorySID, username)
 	}
-	return s.generateCredentials(ctx, username, desktop.GetDomain(), ttl, activeDirectorySID)
+	return s.generateCredentials(ctx, username, desktop.GetDomain(), ttl, activeDirectorySID, createUsers, groups)
 }
 
 // generateCredentials generates a private key / certificate pair for the given
 // Windows username. The certificate has certain special fields different from
 // the regular Teleport user certificate, to meet the requirements of Active
 // Directory. See:
 // https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration
-func (s *WindowsService) generateCredentials(ctx context.Context, username, domain string, ttl time.Duration, activeDirectorySID string) (certDER, keyDER []byte, err error) {
+func (s *WindowsService) generateCredentials(ctx context.Context, username, domain string, ttl time.Duration, activeDirectorySID string, createUser bool, groups []string) (certDER, keyDER []byte, err error) {
 	return windows.GenerateWindowsDesktopCredentials(ctx, &windows.GenerateCredentialsRequest{
 		CAType:             types.UserCA,
 		Username:           username,
@@ -1148,6 +1157,8 @@ func (s *WindowsService) generateCredentials(ctx context.Context, username, doma
 		ActiveDirectorySID: activeDirectorySID,
 		LDAPConfig:         s.cfg.LDAPConfig,
 		AuthClient:         s.cfg.AuthClient,
+		CreateUser:         createUser,
+		Groups:             groups,
 	})
 }
 

lib/srv/desktop/windows_server_test.go

@@ -149,7 +149,7 @@ func TestGenerateCredentials(t *testing.T) {
 			activeDirectorySID: testSid,
 		},
 	} {
-		certb, keyb, err := w.generateCredentials(ctx, user, domain, windows.CertTTL, test.activeDirectorySID)
+		certb, keyb, err := w.generateCredentials(ctx, user, domain, windows.CertTTL, test.activeDirectorySID, false, nil)
 		require.NoError(t, err)
 		require.NotNil(t, certb)
 		require.NotNil(t, keyb)

lib/tlsca/ca.go

@@ -483,6 +483,9 @@ var (
 	// PinnedIPASN1ExtensionOID is an extension ID used when encoding/decoding
 	// the IP the certificate is pinned to.
 	PinnedIPASN1ExtensionOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 15}
+
+	// CreateUserOID
+	CreateUserOID = asn1.ObjectIdentifier{1, 3, 9999, 2, 16}
 )
 
 // Device Trust OIDs.

lib/web/resources_test.go

@@ -218,6 +218,7 @@ spec:
   deny: {}
   options:
     cert_format: standard
+    create_desktop_user: false
     create_host_user: false
     desktop_clipboard: true
     desktop_directory_sharing: true

tool/tctl/sso/tester/format_test.go

@@ -85,6 +85,7 @@ allow:
 deny: {}
 options:
   cert_format: ""
+  create_desktop_user: null
   create_host_user: null
   desktop_clipboard: null
   desktop_directory_sharing: null
@@ -137,7 +138,8 @@ func Test_formatJSON(t *testing.T) {
         "desktop_directory_sharing": null,
         "create_host_user": null,
         "pin_source_ip": false,
-        "ssh_file_copy": null
+        "ssh_file_copy": null,
+        "create_desktop_user": null
     },
     "allow": {
         "logins": [