Skip to content

Make Teleport startup resilient to invalid roles (#9062) #9105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
codingllama merged 1 commit into from
Nov 23, 2021
Merged

Make Teleport startup resilient to invalid roles (#9062) #9105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 6 additions & 39 deletions lib/auth/init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -383,7 +383,7 @@ func Init(cfg InitConfig, opts ...ServerOption) (*Server, error) {
}

// Create presets - convenience and example resources.
err = createPresets(ctx, asrv)
err = createPresets(asrv)
if err != nil {
return nil, trace.Wrap(err)
}
Expand Down Expand Up @@ -484,24 +484,17 @@ func shouldInitReplaceResourceWithOrigin(stored, candidate types.ResourceWithOri
}

func migrateLegacyResources(ctx context.Context, asrv *Server) error {
err := migrateRemoteClusters(ctx, asrv)
if err != nil {
return trace.Wrap(err)
}

err = migrateRoleOptions(ctx, asrv)
if err != nil {
if err := migrateRemoteClusters(ctx, asrv); err != nil {
return trace.Wrap(err)
}

if err := migrateCertAuthorities(ctx, asrv); err != nil {
return trace.Wrap(err, "fail to migrate certificate authorities to the v7 storage format: %v; please report this at https://github.com/gravitational/teleport/issues/new?assignees=&labels=bug&template=bug_report.md including the *redacted* output of 'tctl get cert_authority'", err)
}
return nil
}

// createPresets creates preset resources - roles
func createPresets(ctx context.Context, asrv *Server) error {
// createPresets creates preset resources (eg, roles).
func createPresets(asrv *Server) error {
roles := []types.Role{
services.NewPresetEditorRole(),
services.NewPresetAccessRole(),
Expand Down Expand Up @@ -998,32 +991,6 @@ func migrateRemoteClusters(ctx context.Context, asrv *Server) error {
return nil
}

// DELETE IN: 4.3.0.
// migrateRoleOptions adds the "enhanced_recording" option to all roles.
func migrateRoleOptions(ctx context.Context, asrv *Server) error {
roles, err := asrv.GetRoles(ctx)
if err != nil {
return trace.Wrap(err)
}

for _, role := range roles {
options := role.GetOptions()
if options.BPF == nil {
log.Debugf("Migrating role %v. Added default enhanced events.", role.GetName())
options.BPF = apidefaults.EnhancedEvents()
} else {
continue
}
role.SetOptions(options)
err := asrv.UpsertRole(ctx, role)
if err != nil {
return trace.Wrap(err)
}
}

return nil
}

// DELETE IN: 8.0.0
// migrateCertAuthorities migrates the keypair storage format in cert
// authorities to the new format.
Expand All @@ -1036,7 +1003,7 @@ func migrateCertAuthorities(ctx context.Context, asrv *Server) error {
continue
}
for _, ca := range cas {
if err := migrateCertAuthority(ctx, asrv, ca); err != nil {
if err := migrateCertAuthority(asrv, ca); err != nil {
errors = append(errors, trace.Wrap(err, "failed to migrate %v: %v", ca, err))
continue
}
Expand All @@ -1053,7 +1020,7 @@ func migrateCertAuthorities(ctx context.Context, asrv *Server) error {
return nil
}

func migrateCertAuthority(ctx context.Context, asrv *Server, ca types.CertAuthority) error {
func migrateCertAuthority(asrv *Server, ca types.CertAuthority) error {
// Check if we need to migrate.
if needsMigration, err := services.CertAuthorityNeedsMigration(ca); err != nil || !needsMigration {
return trace.Wrap(err)
Expand Down
6 changes: 3 additions & 3 deletions lib/auth/init_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -502,11 +502,11 @@ func TestPresets(t *testing.T) {
clock := clockwork.NewFakeClock()
as.SetClock(clock)

err := createPresets(ctx, as)
err := createPresets(as)
require.NoError(t, err)

// Second call should not fail
err = createPresets(ctx, as)
err = createPresets(as)
require.NoError(t, err)

// Presets were created
Expand All @@ -527,7 +527,7 @@ func TestPresets(t *testing.T) {
err := as.CreateRole(access)
require.NoError(t, err)

err = createPresets(ctx, as)
err = createPresets(as)
require.NoError(t, err)

// Presets were created
Expand Down
7 changes: 6 additions & 1 deletion lib/services/local/access.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package local

import (
"context"
"encoding/json"
"sort"
"strings"
"time"
Expand Down Expand Up @@ -55,7 +56,11 @@ func (s *AccessService) GetRoles(ctx context.Context) ([]types.Role, error) {
role, err := services.UnmarshalRole(item.Value,
services.WithResourceID(item.ID), services.WithExpires(item.Expires))
if err != nil {
return nil, trace.Wrap(err)
// Try to get the role name for the error, it allows admins to take action
// against the "bad" role.
h := &types.ResourceHeader{}
_ = json.Unmarshal(item.Value, h)
return nil, trace.WrapWithMessage(err, "role %q", h.GetName())
}
out = append(out, role)
}
Expand Down