-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent creation of invalid App for AWS OIDC Integration #51287
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we just prohibit dots in integration names?
I was wondering the same. I did not get to trace the code back to validating an integration name yet, but are there other allowed characters in an integration name that are not a valid dns "label"? https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.1 specifies that letters, digits and hyphens are all that's allowed. Kubernetes addresses similar concerns in https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ |
Yes, but we must keep this code to ensure existing integrations keep working (ie, we don't break backwards compat).
Creating the AppServer ensures we have a valid URL. We can apply the
I'll start implementing that |
e31d2c3
to
a793f72
Compare
According to that Kubernetes link, that would be RFC 1123. RFC 1035 says it must start with alpha, not alphanumeric. |
When enabling AWS Access using an integration, the final address will be a concatenation of the integration name and the proxy's public address. The proxy must present a certificate valid for that address. However, when the integration name has a dot, it will usually not work with the proxy's certificate. We know it won't work for Teleport Cloud, where the certificates only allow for `<app>.<tenant>.teleport.sh`. So, for Teleport Cloud enabling AWS Access is not possible. For self-hosted, a warning is emitted.
a793f72
to
5b5e856
Compare
5b5e856
to
88ee4c0
Compare
88ee4c0
to
b37c23d
Compare
When enabling AWS Access using an integration, the final address will be the concatenation of the integration name and the proxy's public address.
The proxy must present a certificate valid for that address. However, when the integration name has a dot, it will usually not work with the proxy's certificate.
We know it won't work for Teleport Cloud, where the certificates only allows for
<app>.<tenant>.teleport.sh
.So, for Teleport Cloud enabling AWS Access is not possible.
For self-hosted, a warning is emitted.
New AWS OIDC Integrations can't be created with invalid DNS labels (existing ones are not affected).
Demo:
Fixes #44516