[v15] Always issue relogin and per-session mfa requests for the root …

…cluster URI (#42606) * Always issue relogin and per-session mfa requests for the root cluster URI (#42355) * Always issue per-session MFA requests for a root cluster URI * Always issue relogin requests for a root cluster URI * Check if cluster URI is root cluster URI in login handlers * Pass clusterUri instead of rootClusterUri to the ReAuthenticate dialog * Reserve `root_cluster_uri` field too * Resolve conflicts (cherry picked from commit 282f6f0) * Remove unnecessary type casts and add imports
gravitational · Jun 7, 2024 · cbc75c5 · cbc75c5
1 parent bb5706e
commit cbc75c5
Show file tree

Hide file tree

Showing 11 changed files with 143 additions and 113 deletions.
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/tshd_events_service.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/tshd_events_service.pb.go
diff --git a/gen/proto/ts/teleport/lib/teleterm/v1/tshd_events_service_pb.ts b/gen/proto/ts/teleport/lib/teleterm/v1/tshd_events_service_pb.ts
diff --git a/lib/teleterm/apiserver/handler/handler_auth.go b/lib/teleterm/apiserver/handler/handler_auth.go
@@ -32,6 +32,11 @@ func (s *Handler) Login(ctx context.Context, req *api.LoginRequest) (*api.EmptyR
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+
+	if !cluster.URI.IsRoot() {
+		return nil, trace.BadParameter("cluster URI must be a root URI")
+	}
+
 	// The credentials + MFA login flow in the Electron app assumes that the default CLI prompt is
 	// used and works around that. Thus we have to remove the teleterm-specific MFAPromptConstructor
 	// added by daemon.Service.ResolveClusterURI.
@@ -83,6 +88,11 @@ func (s *Handler) LoginPasswordless(stream api.TerminalService_LoginPasswordless
 	if err != nil {
 		return trace.Wrap(err)
 	}
+
+	if !cluster.URI.IsRoot() {
+		return trace.BadParameter("cluster URI must be a root URI")
+	}
+
 	// The passwordless login flow in the Electron app assumes that the default CLI prompt is used and
 	// works around that. Thus we have to remove the teleterm-specific MFAPromptConstructor added by
 	// daemon.Service.ResolveClusterURI.

diff --git a/lib/teleterm/daemon/daemon.go b/lib/teleterm/daemon/daemon.go
@@ -246,7 +246,7 @@ func (s *Service) ResolveClusterURI(uri uri.ResourceURI) (*clusters.Cluster, *cl
 
 	// Custom MFAPromptConstructor gets removed during the calls to Login and LoginPasswordless RPCs.
 	// Those RPCs assume that the default CLI prompt is in use.
-	clusterClient.MFAPromptConstructor = s.NewMFAPromptConstructor(cluster.URI.String())
+	clusterClient.MFAPromptConstructor = s.NewMFAPromptConstructor(cluster.URI)
 	return cluster, clusterClient, nil
 }
 
@@ -329,7 +329,7 @@ func (s *Service) createGateway(ctx context.Context, params CreateGatewayParams)
 		LocalPort:             params.LocalPort,
 		OnExpiredCert:         s.reissueGatewayCerts,
 		KubeconfigsDir:        s.cfg.KubeconfigsDir,
-		MFAPromptConstructor:  s.NewMFAPromptConstructor(targetURI.String()),
+		MFAPromptConstructor:  s.NewMFAPromptConstructor(targetURI),
 		ProxyClient:           proxyClient,
 	}
 
@@ -353,7 +353,7 @@ func (s *Service) createGateway(ctx context.Context, params CreateGatewayParams)
 // per-session MFA checks.
 func (s *Service) reissueGatewayCerts(ctx context.Context, g gateway.Gateway) (tls.Certificate, error) {
 	reloginReq := &api.ReloginRequest{
-		RootClusterUri: g.TargetURI().GetClusterURI().String(),
+		RootClusterUri: g.TargetURI().GetRootClusterURI().String(),
 		Reason: &api.ReloginRequest_GatewayCertExpired{
 			GatewayCertExpired: &api.GatewayCertExpired{
 				GatewayUri: g.URI().String(),