Fix HostCAs not being returned during bot renewal (#44832)

gravitational · Jul 30, 2024 · ca9fd8c · ca9fd8c
1 parent b25e84a
commit ca9fd8c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -3385,8 +3385,13 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC
 	// If the cert is renewable, process any certificate generation counter.
 	if certReq.renewable {
 		currentIdentityGeneration := a.context.Identity.GetIdentity().Generation
-
 		if experiment.Enabled() {
+			// If we're handling a renewal for a bot, we want to return the
+			// Host CAs as well as the User CAs.
+			if certReq.botName != "" {
+				certReq.includeHostCA = true
+			}
+
 			// Update the bot instance based on this authentication. This may create
 			// a new bot instance record if the identity is missing an instance ID.
 			if err := a.authServer.updateBotInstance(

diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go
@@ -194,6 +194,9 @@ func TestRegisterBotCertificateGenerationCheck(t *testing.T) {
 		renewedIdent, err := tlsca.FromSubject(renewedCert.Subject, renewedCert.NotAfter)
 		require.NoError(t, err)
 
+		// Validate that we receive 2 TLS CAs (Host and User)
+		require.Len(t, certs.TLSCACerts, 2)
+
 		// Cert must be renewable.
 		require.True(t, renewedIdent.Renewable)
 		require.False(t, renewedIdent.DisallowReissue)