Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v14] Fix dynamic labels not being present on server access audit events #32382

Merged
merged 1 commit into from
Sep 26, 2023
Merged

[v14] Fix dynamic labels not being present on server access audit events #32382

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 13 additions & 1 deletion lib/srv/regular/sshserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,7 +245,7 @@ func (s *Server) TargetMetadata() apievents.ServerMetadata {
ServerNamespace: s.GetNamespace(),
ServerID: s.ID(),
ServerAddr: s.Addr(),
ServerLabels: s.labels,
ServerLabels: s.getAllLabels(),
ServerHostname: s.hostname,
}
}
Expand Down Expand Up @@ -1032,6 +1032,18 @@ func (s *Server) getDynamicLabels() map[string]types.CommandLabelV2 {
return types.LabelsToV2(s.dynamicLabels.Get())
}

// getAllLabels return a combination of static and dynamic labels.
func (s *Server) getAllLabels() map[string]string {
lmap := make(map[string]string)
for key, value := range s.getStaticLabels() {
lmap[key] = value
}
for key, cmd := range s.getDynamicLabels() {
lmap[key] = cmd.Result
}
return lmap
}

// GetInfo returns a services.Server that represents this server.
func (s *Server) GetInfo() types.Server {
return s.getBasicInfo()
Expand Down
125 changes: 105 additions & 20 deletions lib/srv/regular/sshserver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,26 +185,7 @@ func newCustomFixture(t *testing.T, mutateCfg func(*auth.TestServerConfig), sshO
require.NoError(t, err)
t.Cleanup(func() { require.NoError(t, testServer.Shutdown(ctx)) })

priv, pub, err := testauthority.New().GenerateKeyPair()
require.NoError(t, err)

tlsPub, err := auth.PrivateKeyToPublicKeyTLS(priv)
require.NoError(t, err)

certs, err := testServer.Auth().GenerateHostCerts(ctx,
&proto.HostCertsRequest{
HostID: hostID,
NodeName: testServer.ClusterName(),
Role: types.RoleNode,
PublicSSHKey: pub,
PublicTLSKey: tlsPub,
})
require.NoError(t, err)

// set up user CA and set up a user that has access to the server
signer, err := sshutils.NewSigner(priv, certs.SSH)
require.NoError(t, err)

signer := newSigner(t, ctx, testServer)
nodeID := uuid.New().String()
nodeClient, err := testServer.NewClient(auth.TestIdentity{
I: authz.BuiltinRole{
Expand Down Expand Up @@ -2482,6 +2463,84 @@ func TestHandlePuTTYWinadj(t *testing.T) {
require.Equal(t, "hello once more\n", string(out))
}

func TestTargetMetadata(t *testing.T) {
ctx := context.Background()
testServer, err := auth.NewTestServer(auth.TestServerConfig{
Auth: auth.TestAuthServerConfig{
ClusterName: "localhost",
Dir: t.TempDir(),
Clock: clockwork.NewFakeClock(),
},
})
require.NoError(t, err)

nodeID := uuid.New().String()
nodeClient, err := testServer.NewClient(auth.TestIdentity{
I: authz.BuiltinRole{
Role: types.RoleNode,
Username: nodeID,
},
})
require.NoError(t, err)
t.Cleanup(func() { require.NoError(t, nodeClient.Close()) })

lockWatcher := newLockWatcher(ctx, t, nodeClient)

sessionController, err := srv.NewSessionController(srv.SessionControllerConfig{
Semaphores: nodeClient,
AccessPoint: nodeClient,
LockEnforcer: lockWatcher,
Emitter: nodeClient,
Component: teleport.ComponentNode,
ServerID: nodeID,
})
require.NoError(t, err)

nodeDir := t.TempDir()
serverOptions := []ServerOption{
SetUUID(nodeID),
SetNamespace(apidefaults.Namespace),
SetEmitter(nodeClient),
SetPAMConfig(&servicecfg.PAMConfig{Enabled: false}),
SetLabels(
map[string]string{"foo": "bar"},
services.CommandLabels{
"baz": &types.CommandLabelV2{
Period: types.NewDuration(time.Second),
Command: []string{"expr", "1", "+", "3"},
},
}, nil,
),
SetBPF(&bpf.NOP{}),
SetRestrictedSessionManager(&restricted.NOP{}),
SetLockWatcher(lockWatcher),
SetX11ForwardingConfig(&x11.ServerConfig{}),
SetSessionController(sessionController),
}

sshSrv, err := New(
ctx,
utils.NetAddr{AddrNetwork: "tcp", Addr: "127.0.0.1:0"},
testServer.ClusterName(),
[]ssh.Signer{newSigner(t, ctx, testServer)},
nodeClient,
nodeDir,
"",
utils.NetAddr{},
nodeClient,
serverOptions...)
require.NoError(t, err)

metadata := sshSrv.TargetMetadata()
require.Equal(t, nodeID, metadata.ServerID)
require.Equal(t, apidefaults.Namespace, metadata.ServerNamespace)
require.Equal(t, "", metadata.ServerAddr)
require.Equal(t, "localhost", metadata.ServerHostname)

require.Contains(t, metadata.ServerLabels, "foo")
require.Contains(t, metadata.ServerLabels, "baz")
}

// upack holds all ssh signing artifacts needed for signing and checking user keys
type upack struct {
// key is a raw private user key
Expand Down Expand Up @@ -2615,6 +2674,32 @@ func requireRoot(t *testing.T) {
}
}

// newSigner creates a new SSH signer that can be used by the Server.
func newSigner(t *testing.T, ctx context.Context, testServer *auth.TestServer) ssh.Signer {
t.Helper()

priv, pub, err := testauthority.New().GenerateKeyPair()
require.NoError(t, err)

tlsPub, err := auth.PrivateKeyToPublicKeyTLS(priv)
require.NoError(t, err)

certs, err := testServer.Auth().GenerateHostCerts(ctx,
&proto.HostCertsRequest{
HostID: hostID,
NodeName: testServer.ClusterName(),
Role: types.RoleNode,
PublicSSHKey: pub,
PublicTLSKey: tlsPub,
})
require.NoError(t, err)

// set up user CA and set up a user that has access to the server
signer, err := sshutils.NewSigner(priv, certs.SSH)
require.NoError(t, err)
return signer
}

// maxPipeSize is one larger than the maximum pipe size for most operating
// systems which appears to be 65536 bytes.
//
Expand Down