New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v14] Fix Assume Roles switch back, don't delete role if access list is using it. #33834
Conversation
…ng it. When switching back to the regular user permissions after assuming roles via an access request, Teleport will now use the user login state to ensure that access list permissions are taken into account. Additionally, users will not be able to delete roles if they are in use by an access list. Finally, when refreshing the user while extending a web session, the user login state will be regenerated and used for permissions.
} | ||
|
||
var nextToken string | ||
for { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there no "forEach" kind of helper method for access lists already somewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, unfortunately. :-(
lib/auth/access.go
Outdated
} | ||
|
||
for _, accessList := range accessLists { | ||
for _, r := range accessList.Spec.Grants.Roles { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I think we have a "contains" method for string slices somewhere in utils which will make this code a bit cleaner and avoid 3rd nested for loop.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've elected to use slices
instead here, let me know what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just dropping this here: #33851 - this is the equivalent slices change on master that keeps master and branch/v14 in sync.
Backport #33746 to branch/v14.