[v17] MWI: Minimal bound-keypair joining implementation (#54371)#55037
Merged
timothyb89 merged 5 commits intobranch/v17from Aug 16, 2025
Merged
[v17] MWI: Minimal bound-keypair joining implementation (#54371)#55037timothyb89 merged 5 commits intobranch/v17from
timothyb89 merged 5 commits intobranch/v17from
Conversation
gzdunek
approved these changes
May 22, 2025
greedy52
approved these changes
May 22, 2025
Base automatically changed from
timothyb89/v17/bound-keypair-protos
to
branch/v17
May 22, 2025 20:55
* MWI: Minimal bound-keypair joining implementation This includes a minimal implementation of bound-keypair joining. This first iteration requires preregistered public keys, and requires `unlimited` and `insecure` flags to be set on bound keypair tokens. Minimal client-side implementation will be in a follow up PR. RFD: #52546 Closes #53373 * Refactor challenge response function, rebase on updated protos branch This includes a number of changes: - Rebases on the latest protos branch. This includes removal of the new keypair field on initial join, and adds messages for interactive keypair rotation. - Per the rebase, remaining_joins is removed in favor of using join_count for all calculations. The registration method and validatity checks have been updated to reference that instead. - Refactors challenge response function to allow for keypair rotation. We still don't implement rotation but the handler now receives the full proto message and produces a full proto response, so that we can easily handle the rotation case in the future. - Challenge validation checks time fields explicitly to ensure the client didn't tamper with them. - Added some missing docstrings * Add joinserver test * Fix lint error and add docstring * Add tests for bound keypair challenge validation * Remove client side package intended for other PR * Fix various lints * Add tests for RegisterUsingBoundKeypairMethod() * Fix lints * Add basic provisioning token CheckAndSetDefaults() tests * Include bound public key in RegisterUsingBoundKeypairMethod return This is passed back to clients as part of the proto certs message as confirmation that rotation succeeded, so the value needed to be plumbed through. * Fixes after upstream proto change We renamed and tweaked a number of proto fields, so this updates field references. * Apply suggestions from code review Co-authored-by: Dan Upton <daniel.upton@goteleport.com> * Remove TODO * Fix missed field rename * Fix broken test * Fix lurking nil pointer deref after field rename --------- Co-authored-by: Dan Upton <daniel.upton@goteleport.com>
timothyb89
force-pushed
the
timothyb89/v17/bound-keypair-minimal-impl
branch
from
a08564c to
1b70a74
Compare
Contributor
Author
|
This is positively ancient at this point, but I've finally fixed this up and tested it against a cloud tenant. Backports continue in #57961. I don't consider anything in this PR to be risky for any particular v17 release; I think the last PR (removing the experiment flag) is probably the only one that might warrant a minor release. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #54371 for branch/v17
changelog: Machine and Workload ID: Add experimental implementation of new
bound_keypairjoin method for improved bot joining in on-prem environmentsMWI: Minimal bound-keypair joining implementation
This includes a minimal implementation of bound-keypair joining. This first iteration requires preregistered public keys, and requires
unlimitedandinsecureflags to be set on bound keypair tokens.Minimal client-side implementation will be in a follow up PR.
RFD: #52546
Closes #53373
This includes a number of changes:
Add joinserver test
Fix lint error and add docstring
Add tests for bound keypair challenge validation
Remove client side package intended for other PR
Fix various lints
Add tests for RegisterUsingBoundKeypairMethod()
Fix lints
Add basic provisioning token CheckAndSetDefaults() tests
Include bound public key in RegisterUsingBoundKeypairMethod return
This is passed back to clients as part of the proto certs message as confirmation that rotation succeeded, so the value needed to be plumbed through.
We renamed and tweaked a number of proto fields, so this updates field references.
Apply suggestions from code review
Remove TODO
Fix missed field rename
Fix broken test
Fix lurking nil pointer deref after field rename