From 94fb8bdcb38416d332c0c70a1cbd87a19d7a0f5a Mon Sep 17 00:00:00 2001 From: Edoardo Spadolini Date: Wed, 22 Dec 2021 18:05:45 +0100 Subject: [PATCH] Include the current access requests when issuing new user certs This is necessary because we extend the list of current roles instead of starting from the statically assigned ones, so we should also keep track of all the potential ways that those roles were granted to the user. --- lib/auth/auth_with_roles.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index 38a2511fb1dc3..c45dd4e9d66f5 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -1438,6 +1438,10 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC // If the user is generating a certificate, the roles and traits come from the logged in identity. if req.Username == a.context.User.GetName() { roles, traits, err = services.ExtractFromIdentity(a.authServer, a.context.Identity.GetIdentity()) + // we're going to extend the roles list based on the access requests, so + // we ensure that all the current requests are added to the new + // certificate (and are checked again) + req.AccessRequests = append(req.AccessRequests, a.context.Identity.GetIdentity().ActiveRequests...) if err != nil { return nil, trace.Wrap(err) }