From df19dd6aa1dfb2cffbb0c4d7634ad21516b3b3fd Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Wed, 31 Jul 2024 02:00:19 +0100 Subject: [PATCH] Fix HostCAs not being returned during bot renewal (#44832) --- lib/auth/auth_with_roles.go | 7 ++++++- lib/auth/bot_test.go | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index 8217f47b267ff..2592a5bbedfbb 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -3350,8 +3350,13 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC // If the cert is renewable, process any certificate generation counter. if certReq.renewable { currentIdentityGeneration := a.context.Identity.GetIdentity().Generation - if experiment.Enabled() { + // If we're handling a renewal for a bot, we want to return the + // Host CAs as well as the User CAs. + if certReq.botName != "" { + certReq.includeHostCA = true + } + // Update the bot instance based on this authentication. This may create // a new bot instance record if the identity is missing an instance ID. if err := a.authServer.updateBotInstance( diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go index 293284b37f704..60e446d6c58b6 100644 --- a/lib/auth/bot_test.go +++ b/lib/auth/bot_test.go @@ -197,6 +197,9 @@ func TestRegisterBotCertificateGenerationCheck(t *testing.T) { renewedIdent, err := tlsca.FromSubject(renewedCert.Subject, renewedCert.NotAfter) require.NoError(t, err) + // Validate that we receive 2 TLS CAs (Host and User) + require.Len(t, certs.TLSCACerts, 2) + // Cert must be renewable. require.True(t, renewedIdent.Renewable) require.False(t, renewedIdent.DisallowReissue)