tsh proxy db --tunnel ignores --db-roles

[GavinFrazar]

Expected behavior:
tsh proxy db <db> --tunnel --db-roles=role1 should start a local proxy tunnel where automatic user provisioning will grant only role1 for the session.

Current behavior:

• if an unexpired db cert for <db> still exists, then it will uses the --db-roles from that cert, if any were requested
• if there is no unexpired db cert, then a new one is issued in memory but unfortunately doesn't respect role1 - instead it will grant all allowed db_roles from the user's role set.

Bug details:

• Teleport version: v17.3 but it affects all versions since --db-roles was added to tsh.

Recreation steps:

1. create a Teleport user with automatic db role provisioning ¹
2. make sure the user has at least two db_roles values granted to them
3. login with tsh tsh login
4. run tsh proxy db <yourdatabase> --tunnel --db-roles=<role1>
5. observe in the session that all db_roles were granted instead of only <role1>

Footnotes

1. https://goteleport.com/docs/enroll-resources/database-access/auto-user-provisioning/postgres/ ↩

[GavinFrazar]

cc @greedy52 we missed updating the tunnel mode's cert reissuer to include db roles here:

teleport/lib/client/local_proxy_middleware.go

Lines 224 to 229 in dee0535

	RouteToDatabase: proto.RouteToDatabase{
	ServiceName: c.RouteToApp.ServiceName,
	Protocol: c.RouteToApp.Protocol,
	Username: c.RouteToApp.Username,
	Database: c.RouteToApp.Database,
	},