Using SAML app gives ConditionalCheckFailedException on backend with DynamoDB #39833

greedy52 · 2024-03-26T13:49:00Z

Expected behavior:
Using SAML app should have one audit log per logic/click from WebUI. Backend should not error when emitting the event. (the event is saml.idp.auth, with display name SAML IDP authentication)

Current behavior:
Only first-time login gives an audit log. Proxy/Auth throws errors on audit event emitted on the same session ID after first login.

Related issue:
Thanks to #38495, now we are catching this. Prior to #38495, it was likely silently overwriting the same key.

Bug details:

Teleport version: v15
Recreation steps
- Enterprise
- DynamoDB backend
- On Teleport Web UI -> Access Management -> Enroll New Resource -> SAML Application
- I tested with https://sptest.iamshowcase.com/instructions#start as the SAML service provider using IDP-initiated flow
- Once SAML App is created, log in multiple times from Teleport Web UI and observe error logs on Proxy and Auth
Debug logs

2024-03-26T13:38:55Z ERRO             Failed to emit audit event of type: saml.idp.auth. error:[
ERROR REPORT:
Original Error: trace.aggregate ConditionalCheckFailedException: The conditional request failed
{
  RespMetadata: {
    StatusCode: 400,
    RequestID: &#34;KU1GTG2BN1SKD36DND9HHKBB9FVV4KQNSO5AEMVJF66Q9ASUAAJG&#34;
  },
  Message_: &#34;The conditional request failed&#34;
}
Stack Trace:
	github.com/gravitational/teleport/lib/events/emitter.go:315 github.com/gravitational/teleport/lib/events.(*MultiEmitter).EmitAuditEvent
	github.com/gravitational/teleport/lib/events/emitter.go:178 github.com/gravitational/teleport/lib/events.(*CheckingEmitter).EmitAuditEvent
	github.com/gravitational/teleport/lib/events/usageevents/usageevents.go:70 github.com/gravitational/teleport/lib/events/usageevents.(*UsageLogger).EmitAuditEvent
	github.com/gravitational/teleport/lib/auth/auth_with_roles.go:3917 github.com/gravitational/teleport/lib/auth.(*ServerWithRoles).EmitAuditEvent
	github.com/gravitational/teleport/lib/auth/grpcserver.go:187 github.com/gravitational/teleport/lib/auth.(*GRPCServer).EmitAuditEvent
	github.com/gravitational/teleport/[email protected]/client/proto/authservice.pb.go:21521 github.com/gravitational/teleport/api/client/proto._AuthService_EmitAuditEvent_Handler.func1
	github.com/gravitational/teleport/lib/auth/middleware.go:513 github.com/gravitational/teleport/lib/auth.(*Middleware).withAuthenticatedUserUnaryInterceptor
	google.golang.org/[email protected]/server.go:1203 google.golang.org/grpc.getChainUnaryHandler.func1
	github.com/gravitational/teleport/lib/limiter/limiter.go:155 github.com/gravitational/teleport/lib/auth.(*Middleware).UnaryInterceptors.(*Limiter).UnaryServerInterceptorWithCustomRate.func1
	google.golang.org/[email protected]/server.go:1203 google.golang.org/grpc.getChainUnaryHandler.func1
	github.com/gravitational/teleport/[email protected]/utils/grpc/interceptors/errors.go:76 github.com/gravitational/teleport/api/utils/grpc/interceptors.GRPCServerUnaryErrorInterceptor
	google.golang.org/[email protected]/server.go:1203 google.golang.org/grpc.getChainUnaryHandler.func1
	github.com/grpc-ecosystem/go-grpc-middleware/[email protected]/interceptors/server.go:22 github.com/gravitational/teleport/lib/auth.(*Middleware).UnaryInterceptors.(*ServerMetrics).UnaryServerInterceptor.UnaryServerInterceptor.func2
	google.golang.org/[email protected]/server.go:1203 google.golang.org/grpc.getChainUnaryHandler.func1
	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]/interceptor.go:326 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1
	google.golang.org/[email protected]/server.go:1194 google.golang.org/grpc.NewServer.chainUnaryServerInterceptors.chainUnaryInterceptors.func1
	github.com/gravitational/teleport/[email protected]/client/proto/authservice.pb.go:21523 github.com/gravitational/teleport/api/client/proto._AuthService_EmitAuditEvent_Handler
	google.golang.org/[email protected]/server.go:1386 google.golang.org/grpc.(*Server).processUnaryRPC
	google.golang.org/[email protected]/server.go:1797 google.golang.org/grpc.(*Server).handleStream
	google.golang.org/[email protected]/server.go:1027 google.golang.org/grpc.(*Server).serveStreams.func2.1
	runtime/asm_amd64.s:1695 runtime.goexit

The text was updated successfully, but these errors were encountered:

greedy52 · 2024-07-22T22:02:45Z

Can this be closed now?

greedy52 added bug audit-log Issues related to Teleports Audit Log labels Mar 26, 2024

greedy52 assigned gabrielcorado Mar 26, 2024

espadolini mentioned this issue Apr 2, 2024

session.command event hits a ConditionalCheckFailedException on dynamoevents #40126

Closed

jentfoo added security Security Issues sec-type-audit Security Vulnerability - Audit Log Bypass sec-sev-medium Security Vulnerability - Medium Severity internal-bounty-ineligible labels Apr 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Using SAML app gives ConditionalCheckFailedException on backend with DynamoDB #39833

Using SAML app gives ConditionalCheckFailedException on backend with DynamoDB #39833

greedy52 commented Mar 26, 2024 •

edited

Loading

greedy52 commented Jul 22, 2024

Using SAML app gives ConditionalCheckFailedException on backend with DynamoDB #39833

Using SAML app gives ConditionalCheckFailedException on backend with DynamoDB #39833

Comments

greedy52 commented Mar 26, 2024 • edited Loading

greedy52 commented Jul 22, 2024

greedy52 commented Mar 26, 2024 •

edited

Loading