Prevent creation of invalid App for AWS OIDC Integration

marcoandredinis · marcoandredinis · commit e31d2c3e052a · 2025-01-21T12:02:57.000Z
When enabling AWS Access using an integration, the final address will be
a concatenation of the integration name and the proxy's public address.

The proxy must present a certificate valid for that address.
However, when the integration name has a dot, it will usually not work
with the proxy's certificate.
We know it won't work for Teleport Cloud, where the certificates only
allow for `&lt;app&gt;.&lt;tenant&gt;.teleport.sh`.

So, for Teleport Cloud enabling AWS Access is not possible.
For self-hosted, a warning is emitted.
diff --git a/lib/web/integrations_awsoidc.go b/lib/web/integrations_awsoidc.go
@@ -1041,6 +1041,18 @@ func (h *Handler) awsOIDCCreateAWSAppAccess(w http.ResponseWriter, r *http.Reque
 		return nil, trace.Wrap(err)
 	}
 
+	// If the integration name contains a dot, then the proxy must provide a certificate allowing *.<something>.<proxyPublicAddr>
+	if strings.Contains(integrationName, ".") {
+		// Teleport Cloud only provides certificates for *.<tenant>.teleport.sh, so this would generate an invalid address.
+		if h.GetClusterFeatures().Cloud {
+			return nil, trace.BadParameter(`Invalid integration name for enabling AWS Access. Please re-create the integration without the "."`)
+		}
+
+		// Typically, self-hosted clusters will also have a single wildcard for the name.
+		// Logging a warning message should help debug the problem in case the certificate is not valid.
+		h.logger.WarnContext(ctx, `Enabling AWS Access using an integration with a "." might not work unless your Proxy's certificate is valid for the address`, "public_addr", appServer.GetApp().GetPublicAddr())
+	}
+
 	if _, err := clt.UpsertApplicationServer(ctx, appServer); err != nil {
 		return nil, trace.Wrap(err)
 	}
diff --git a/lib/web/integrations_awsoidc_test.go b/lib/web/integrations_awsoidc_test.go
@@ -1031,6 +1031,37 @@ func TestAWSOIDCAppAccessAppServerCreationDeletion(t *testing.T) {
 		_, err = pack.clt.PostJSON(ctx, endpoint, nil)
 		require.NoError(t, err)
 	})
+
+	t.Run("using a period in the name fails when running in cloud", func(t *testing.T) {
+		enableCloudFeatureProxy(t, proxy)
+
+		// Creating an Integration using the account id as name should not return an error if the proxy is listening at the default HTTPS port
+		myIntegrationWithAccountID, err := types.NewIntegrationAWSOIDC(types.Metadata{
+			Name: "env.prod",
+		}, &types.AWSOIDCIntegrationSpecV1{
+			RoleARN: "arn:aws:iam::123456789012:role/teleport",
+		})
+		require.NoError(t, err)
+
+		_, err = env.server.Auth().CreateIntegration(ctx, myIntegrationWithAccountID)
+		require.NoError(t, err)
+		endpoint = pack.clt.Endpoint("webapi", "sites", "localhost", "integrations", "aws-oidc", "env.prod", "aws-app-access")
+		_, err = pack.clt.PostJSON(ctx, endpoint, nil)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "Invalid integration name for enabling AWS Access")
+	})
+}
+
+func enableCloudFeatureProxy(t *testing.T, proxy *testProxy) {
+	t.Helper()
+
+	existingFeatures := proxy.handler.handler.clusterFeatures
+	existingFeatures.Cloud = true
+	proxy.handler.handler.clusterFeatures = existingFeatures
+	t.Cleanup(func() {
+		existingFeatures.Cloud = false
+		proxy.handler.handler.clusterFeatures = existingFeatures
+	})
 }
 
 func TestAWSOIDCAppAccessAppServerCreationWithUserProvidedLabels(t *testing.T) {
