Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for MFA for DB access #8270

Merged
merged 18 commits into from
Oct 6, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Merge remote-tracking branch 'origin/master' into smallinsky/dbmfa
  • Loading branch information
smallinsky committed Sep 27, 2021
commit 9b81a2df501f8f99501a90812864a32e91f572b7
1 change: 1 addition & 0 deletions lib/auth/auth.go
Original file line number Diff line number Diff line change
@@ -46,6 +46,7 @@ import (
"github.com/pborman/uuid"
"github.com/prometheus/client_golang/prometheus"
saml2 "github.com/russellhaering/gosaml2"
"github.com/sirupsen/logrus"
"golang.org/x/crypto/ssh"

"github.com/gravitational/teleport"
58 changes: 54 additions & 4 deletions lib/auth/auth_with_roles_test.go
Original file line number Diff line number Diff line change
@@ -974,7 +974,7 @@ func TestIsMFARequiredMFADB(t *testing.T) {
req *proto.IsMFARequiredRequest
}{
{
name: "RequireSessionMFA enabled MySQL protocol doesn't match database name",
name: "RequireSessionMFA enabled MySQL protocol doesn't match database name",
dbProtocol: libdefaults.ProtocolMySQL,
req: &proto.IsMFARequiredRequest{
Target: &proto.IsMFARequiredRequest_Database{
@@ -998,7 +998,7 @@ func TestIsMFARequiredMFADB(t *testing.T) {
checkMFA: require.True,
},
{
name: "RequireSessionMFA disabled",
name: "RequireSessionMFA disabled",
dbProtocol: libdefaults.ProtocolMySQL,
req: &proto.IsMFARequiredRequest{
Target: &proto.IsMFARequiredRequest_Database{
@@ -1022,7 +1022,7 @@ func TestIsMFARequiredMFADB(t *testing.T) {
checkMFA: require.False,
},
{
name: "RequireSessionMFA enabled Postgres protocol database name doesn't match",
name: "RequireSessionMFA enabled Postgres protocol database name doesn't match",
dbProtocol: libdefaults.ProtocolPostgres,
req: &proto.IsMFARequiredRequest{
Target: &proto.IsMFARequiredRequest_Database{
@@ -1046,7 +1046,7 @@ func TestIsMFARequiredMFADB(t *testing.T) {
checkMFA: require.False,
},
{
name: "RequireSessionMFA enabled Postgres protocol database name matches",
name: "RequireSessionMFA enabled Postgres protocol database name matches",
dbProtocol: libdefaults.ProtocolPostgres,
req: &proto.IsMFARequiredRequest{
Target: &proto.IsMFARequiredRequest_Database{
@@ -1126,3 +1126,53 @@ func TestIsMFARequiredMFADB(t *testing.T) {
})
}
}

// TestKindClusterConfig verifies that types.KindClusterConfig can be used
// as an alternative privilege to provide access to cluster configuration
// resources.
func TestKindClusterConfig(t *testing.T) {
t.Parallel()
ctx := context.Background()
srv, err := NewTestAuthServer(TestAuthServerConfig{Dir: t.TempDir()})
require.NoError(t, err)

getClusterConfigResources := func(ctx context.Context, user types.User) []error {
authContext, err := srv.Authorizer.Authorize(context.WithValue(ctx, ContextUser, TestUser(user.GetName()).I))
require.NoError(t, err, trace.DebugReport(err))
s := &ServerWithRoles{
authServer: srv.AuthServer,
sessions: srv.SessionServer,
alog: srv.AuditLog,
context: *authContext,
}
_, err1 := s.GetClusterAuditConfig(ctx)
_, err2 := s.GetClusterNetworkingConfig(ctx)
_, err3 := s.GetSessionRecordingConfig(ctx)
return []error{err1, err2, err3}
}

t.Run("without KindClusterConfig privilege", func(t *testing.T) {
user, err := CreateUser(srv.AuthServer, "test-user")
require.NoError(t, err)
for _, err := range getClusterConfigResources(ctx, user) {
require.Error(t, err)
require.True(t, trace.IsAccessDenied(err))
}
})

t.Run("with KindClusterConfig privilege", func(t *testing.T) {
role, err := types.NewRole("test-role", types.RoleSpecV4{
Allow: types.RoleConditions{
Rules: []types.Rule{
types.NewRule(types.KindClusterConfig, []string{types.VerbRead}),
},
},
})
require.NoError(t, err)
user, err := CreateUser(srv.AuthServer, "test-user", role)
require.NoError(t, err)
for _, err := range getClusterConfigResources(ctx, user) {
require.NoError(t, err)
}
})
}
You are viewing a condensed version of this merge commit. You can view the full changes here.