From 263ad7208522f9ede37d6e30fde719f7b202db38 Mon Sep 17 00:00:00 2001 From: Bartosz Leper Date: Tue, 31 Dec 2024 17:21:47 +0100 Subject: [PATCH] Don't downgrade SSH port forwarding in roles for v18.0+ --- lib/auth/grpcserver.go | 15 ++++++--------- lib/auth/grpcserver_test.go | 6 +++--- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/lib/auth/grpcserver.go b/lib/auth/grpcserver.go index d5dfc1f553f2b..4b1cdaef21422 100644 --- a/lib/auth/grpcserver.go +++ b/lib/auth/grpcserver.go @@ -2019,9 +2019,7 @@ func maybeDowngradeRole(ctx context.Context, role *types.RoleV6) (*types.RoleV6, return role, nil } -var minSupportedSSHPortForwardingVersions = map[int64]semver.Version{ - 17: {Major: 17, Minor: 1, Patch: 0}, -} +var minSupportedSSHPortForwardingVersion = semver.Version{Major: 17, Minor: 1, Patch: 0} func maybeDowngradeRoleSSHPortForwarding(role *types.RoleV6, clientVersion *semver.Version) *types.RoleV6 { sshPortForwarding := role.GetOptions().SSHPortForwarding @@ -2029,11 +2027,10 @@ func maybeDowngradeRoleSSHPortForwarding(role *types.RoleV6, clientVersion *semv return role } - minSupportedVersion, ok := minSupportedSSHPortForwardingVersions[clientVersion.Major] - if ok { - if supported, err := utils.MinVerWithoutPreRelease(clientVersion.String(), minSupportedVersion.String()); supported || err != nil { - return role - } + if supported, err := utils.MinVerWithoutPreRelease( + clientVersion.String(), + minSupportedSSHPortForwardingVersion.String()); supported || err != nil { + return role } role = apiutils.CloneProtoMsg(role) @@ -2044,7 +2041,7 @@ func maybeDowngradeRoleSSHPortForwarding(role *types.RoleV6, clientVersion *semv role.SetOptions(options) reason := fmt.Sprintf(`Client version %q does not support granular SSH port forwarding. Role %q will be downgraded `+ `to simple port forwarding rules instead. In order to support granular SSH port forwarding, all clients must be `+ - `updated to version %q or higher.`, clientVersion, role.GetName(), minSupportedVersion) + `updated to version %q or higher.`, clientVersion, role.GetName(), minSupportedSSHPortForwardingVersion) if role.Metadata.Labels == nil { role.Metadata.Labels = make(map[string]string, 1) } diff --git a/lib/auth/grpcserver_test.go b/lib/auth/grpcserver_test.go index c92e521e386c0..60ed4193c30ae 100644 --- a/lib/auth/grpcserver_test.go +++ b/lib/auth/grpcserver_test.go @@ -4741,7 +4741,7 @@ func TestRoleVersions(t *testing.T) { { desc: "up to date - enabled", clientVersions: []string{ - "17.1.0", "17.1.0-dev", "", + "17.1.0", "17.1.0-dev", "18.0.0-dev", "19.0.0", "", }, inputRole: enabledRole, expectedRole: enabledRole, @@ -4749,7 +4749,7 @@ func TestRoleVersions(t *testing.T) { { desc: "up to date - disabled", clientVersions: []string{ - "17.1.0", "17.1.0-dev", "", + "17.1.0", "17.1.0-dev", "18.0.0-dev", "19.0.0", "", }, inputRole: disabledRole, expectedRole: disabledRole, @@ -4757,7 +4757,7 @@ func TestRoleVersions(t *testing.T) { { desc: "up to date - undefined", clientVersions: []string{ - "17.1.0", "17.1.0-dev", "", + "17.1.0", "17.1.0-dev", "18.0.0-dev", "19.0.0", "", }, inputRole: undefinedRole, expectedRole: undefinedRole,