Fix missing roles in access lists causing users to be locked out of their account by rudream · Pull Request #49456 · gravitational/teleport

rudream · 2024-11-26T12:31:13Z

Purpose

This PR resolves #43775

This PR fixes an issue where users would be logged out and locked out of their accounts if their access list references a role which no longer exists. This can occur when the role in the access list has a TTL and expires.

When generating the UserLoginState, any access lists which reference one or more non-existent roles will be skipped entirely, and an audit event is emitted as a notice.

changelog: Fix missing roles in access lists causing users to be locked out of their account

fspmarshall · 2024-11-26T16:11:19Z

While use of deny rules in access lists is discouraged, we do not have a mechanism of preventing it, meaning that it isn't sane to skip roles as it might constitute a privilege escalation.

Because of the risk of malformed access lists breaking login, we've already made a single exception to this rule. We allow access list application to fail "atomically". I.e. we assume that failure to apply the entire access lists will not result in privilege escalation, and we make it the user's responsibility to only ever use access lists as a whole as a means of privilege escalation, not privilege limiting the way an individual role might be used.

We can solve missing roles locking out users, but it must be solved s.t. the entire access list that assigned the roles is skipped, rather than just skipping the specific role (i.e. none of the roles, traits, etc from that list get applied).

rudream · 2024-12-11T23:28:13Z

We can solve missing roles locking out users, but it must be solved s.t. the entire access list that assigned the roles is skipped, rather than just skipping the specific role (i.e. none of the roles, traits, etc from that list get applied).

@fspmarshall After confirming with the customer, I've gone with this approach and updated this PR.

zmb3 · 2024-12-11T23:32:21Z

@smallinsky I would appreciate your review on this one too if you have a few minutes this week 🙏

zmb3

Just some minor cleanup suggestions.

smallinsky

LGTM.

public-teleport-github-review-bot · 2024-12-16T19:27:01Z

@rudream See the table below for backport results.

Branch	Result
branch/v16	Failed
branch/v17	Failed

rudream added backport/branch/v16 backport/branch/v17 labels Nov 26, 2024

github-actions Bot requested review from marcoandredinis and zmb3 November 26, 2024 12:31

github-actions Bot added the size/sm label Nov 26, 2024

rudream force-pushed the yassine/access-list-missing-role branch from 9b32e7f to 8c8055b Compare December 11, 2024 23:24

rudream requested a review from smallinsky December 11, 2024 23:33

smallinsky reviewed Dec 12, 2024

View reviewed changes

Comment thread lib/auth/userloginstate/generator.go Outdated

Comment thread lib/auth/userloginstate/generator.go Outdated

Comment thread lib/auth/userloginstate/generator.go Outdated

Comment thread lib/auth/userloginstate/generator.go Outdated

Comment thread lib/events/api.go Outdated

rudream requested a review from smallinsky December 12, 2024 21:21

zmb3 reviewed Dec 12, 2024

View reviewed changes

marcoandredinis removed their request for review December 13, 2024 08:30

rudream requested a review from zmb3 December 13, 2024 21:53

rudream force-pushed the yassine/access-list-missing-role branch from 8845fb9 to b91148a Compare December 13, 2024 22:02

smallinsky approved these changes Dec 14, 2024

View reviewed changes

Comment thread lib/auth/userloginstate/generator.go Outdated

zmb3 approved these changes Dec 16, 2024

View reviewed changes

skip access list if one of its roles is missing

eccfbeb

rudream force-pushed the yassine/access-list-missing-role branch from b91148a to eccfbeb Compare December 16, 2024 18:48

rudream enabled auto-merge December 16, 2024 18:48

rudream added this pull request to the merge queue Dec 16, 2024

Merged via the queue into master with commit 5047402 Dec 16, 2024

rudream deleted the yassine/access-list-missing-role branch December 16, 2024 19:25

rudream added a commit that referenced this pull request Dec 16, 2024

skip access list if one of its roles is missing (#49456)

3ef7e8c

rudream mentioned this pull request Dec 16, 2024

[v17] Fix missing roles in access lists causing users to be locked out of their account #50298

Merged

github-merge-queue Bot pushed a commit that referenced this pull request Dec 17, 2024

skip access list if one of its roles is missing (#49456) (#50298)

2309554

rudream added a commit that referenced this pull request Dec 19, 2024

skip access list if one of its roles is missing (#49456)

0256769

rudream mentioned this pull request Dec 19, 2024

[v16] Fix missing roles in access lists causing users to be locked out of their account #50460

Merged

github-merge-queue Bot pushed a commit that referenced this pull request Dec 20, 2024

skip access list if one of its roles is missing (#49456) (#50460)

b2ec964

carloscastrojumo pushed a commit to carloscastrojumo/teleport that referenced this pull request Feb 19, 2025

skip access list if one of its roles is missing (gravitational#49456)

50b9dd7

Conversation

rudream commented Nov 26, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Purpose

Uh oh!

fspmarshall commented Nov 26, 2024

Uh oh!

rudream commented Dec 11, 2024

Uh oh!

zmb3 commented Dec 11, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

zmb3 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

smallinsky left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Dec 16, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

rudream commented Nov 26, 2024 •

edited

Loading