Skip to content

[v16] fix: Prevent an App from setting a public address that conflicts with a Teleport Proxy public address 👮#58768

Merged
cthach merged 2 commits intobranch/v16from
cthach/backport-restrict-public-addr-v16
Sep 5, 2025
Merged

[v16] fix: Prevent an App from setting a public address that conflicts with a Teleport Proxy public address 👮#58768
cthach merged 2 commits intobranch/v16from
cthach/backport-restrict-public-addr-v16

Conversation

@cthach
Copy link
Copy Markdown
Contributor

@cthach cthach commented Sep 4, 2025
edited
Loading

Backport #58475 to branch/v16

Fixes https://github.com/gravitational/teleport-private/issues/2104

changelog: Prevents an application from being registered if its public address matches a Teleport cluster address.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Sep 4, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
cthach/backport-restrict-public-addr-v16 e6cb583 3 ✅SUCCEED cthach-backport-restrict-public-addr-v16 2025-09-05 11:50:49

@cthach cthach self-assigned this Sep 4, 2025
@cthach cthach added documentation security Security Issues application-access backport size/md sec-internal Security Vulnerability - Reported by employees or auditors, no known exploitation labels Sep 4, 2025
@cthach @rosstimothy
fix: Prevent an App from setting a public address that conflicts with…
124c3ac 
… a Teleport Proxy public address 👮🏾 (#58475)

* fix: apps should not be able to set public_addr to the web proxy address

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* feat: add API validation

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* test: add coverage for UpsertApplicationServer

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* refactor: polish

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* refactor: make consistent

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* refactor: use ValidateApp func everywhere. Revert changes to Check* method.

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* refactor: dedupe

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* refactor: improve error messages for application address conflicts and add validation check in connections handler

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* ux: bubble up friendly error to UI

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* refactor: revert unnecessary change

* fix: app public address in redirect

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* fix: streamline proxy address validation in ValidateApp function

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* refactor: remove contact cluster admin in favor of self-service. Add logging.

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* Apply suggestions from code review

Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>

* fix: skip proxy servers with unset public addresses in ValidateApp function

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* refactor: simplify error messages for application public address conflicts with proxy

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* fix: logging in the wrong spot

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

* fix: handle when a server has multiple public addrs

Signed-off-by: Chris Thach <chris.thach@goteleport.com>

---------

Signed-off-by: Chris Thach <chris.thach@goteleport.com>
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Signed-off-by: Chris Thach <chris.thach@goteleport.com>
@cthach cthach force-pushed the cthach/backport-restrict-public-addr-v16 branch from 542a591 to 124c3ac Compare September 4, 2025 22:06
@cthach cthach marked this pull request as ready for review September 4, 2025 22:28
@cthach cthach enabled auto-merge September 4, 2025 22:28
@cthach cthach added this pull request to the merge queue Sep 5, 2025
Merged via the queue into branch/v16 with commit 5bb6bab Sep 5, 2025
41 checks passed
@cthach cthach deleted the cthach/backport-restrict-public-addr-v16 branch September 5, 2025 12:42
@doggydogworld doggydogworld mentioned this pull request Sep 18, 2025
Merged
@bayandin bayandin mentioned this pull request Sep 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@rob-picard-teleport rob-picard-teleport rob-picard-teleport approved these changes

@avatus avatus Awaiting requested review from avatus

@greedy52 greedy52 Awaiting requested review from greedy52

@kimlisa kimlisa Awaiting requested review from kimlisa

@kiosion kiosion Awaiting requested review from kiosion

@mmcallister mmcallister Awaiting requested review from mmcallister

@ptgott ptgott Awaiting requested review from ptgott

@r0mant r0mant Awaiting requested review from r0mant

@russjones russjones Awaiting requested review from russjones

@zmb3 zmb3 Awaiting requested review from zmb3

Assignees

@cthach cthach

Labels

application-access backport documentation sec-internal Security Vulnerability - Reported by employees or auditors, no known exploitation security Security Issues size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cthach @rosstimothy @rob-picard-teleport