Include the current access requests when issuing new user certs

This is necessary because we extend the list of current roles instead of starting from the statically assigned ones, so we should also keep track of all the potential ways that those roles were granted to the user.
gravitational · Jan 26, 2022 · 94fb8bd · 94fb8bd
1 parent 1c74c77
commit 94fb8bd
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -1438,6 +1438,10 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC
 	// If the user is generating a certificate, the roles and traits come from the logged in identity.
 	if req.Username == a.context.User.GetName() {
 		roles, traits, err = services.ExtractFromIdentity(a.authServer, a.context.Identity.GetIdentity())
+		// we're going to extend the roles list based on the access requests, so
+		// we ensure that all the current requests are added to the new
+		// certificate (and are checked again)
+		req.AccessRequests = append(req.AccessRequests, a.context.Identity.GetIdentity().ActiveRequests...)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}