From 272742e1756dd7104558fe5e769208415aef3de0 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Tue, 30 Jul 2024 17:49:55 +0100 Subject: [PATCH] Fix HostCAs not being returned during bot renewal --- lib/auth/auth_with_roles.go | 7 ++++++- lib/auth/bot_test.go | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index d70f10acc49f2..3dbfb198bf08d 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -3385,8 +3385,13 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC // If the cert is renewable, process any certificate generation counter. if certReq.renewable { currentIdentityGeneration := a.context.Identity.GetIdentity().Generation - if experiment.Enabled() { + // If we're handling a renewal for a bot, we want to return the + // Host CAs as well as the User CAs. + if certReq.botName != "" { + certReq.includeHostCA = true + } + // Update the bot instance based on this authentication. This may create // a new bot instance record if the identity is missing an instance ID. if err := a.authServer.updateBotInstance( diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go index ca0de6b01326d..efc132d68e835 100644 --- a/lib/auth/bot_test.go +++ b/lib/auth/bot_test.go @@ -194,6 +194,9 @@ func TestRegisterBotCertificateGenerationCheck(t *testing.T) { renewedIdent, err := tlsca.FromSubject(renewedCert.Subject, renewedCert.NotAfter) require.NoError(t, err) + // Validate that we receive 2 TLS CAs (Host and User) + require.Len(t, certs.TLSCACerts, 2) + // Cert must be renewable. require.True(t, renewedIdent.Renewable) require.False(t, renewedIdent.DisallowReissue)