From bbd0f4ca873e63dba07a33772e20a468be7910fe Mon Sep 17 00:00:00 2001 From: STeve Huang Date: Thu, 9 Jan 2025 16:06:21 -0500 Subject: [PATCH] change special suffix to teleport-github-org for routing --- api/types/constants.go | 2 +- api/types/server.go | 6 +++--- lib/srv/authhandlers.go | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/api/types/constants.go b/api/types/constants.go index b274b1871de4f..10aa2322998d3 100644 --- a/api/types/constants.go +++ b/api/types/constants.go @@ -1496,5 +1496,5 @@ const ( const ( // GitHubOrgServerDomain is the sub domain used in the hostname of a // types.Server to indicate the GitHub organization of a Git server. - GitHubOrgServerDomain = "github-org" + GitHubOrgServerDomain = "teleport-github-org" ) diff --git a/api/types/server.go b/api/types/server.go index afc437bfc116d..ed84089ad3bfd 100644 --- a/api/types/server.go +++ b/api/types/server.go @@ -616,9 +616,6 @@ func (s *ServerV2) gitServerCheckAndSetDefaults() error { } func (s *ServerV2) githubCheckAndSetDefaults() error { - // Set SSH host port for GitHub. - s.Spec.Addr = "github.com:22" - if s.Spec.GitHub == nil { return trace.BadParameter("github must be set for Subkind %q", s.SubKind) } @@ -629,6 +626,9 @@ func (s *ServerV2) githubCheckAndSetDefaults() error { return trace.Wrap(err, "invalid GitHub organization name") } + // Set SSH host port for connection and "fake" hostname for routing. These + // values are hard-coded and cannot be customized. + s.Spec.Addr = "github.com:22" s.Spec.Hostname = MakeGitHubOrgServerDomain(s.Spec.GitHub.Organization) if s.Metadata.Labels == nil { s.Metadata.Labels = make(map[string]string) diff --git a/lib/srv/authhandlers.go b/lib/srv/authhandlers.go index 74f2eaba94d4e..6a80ce5c83f3a 100644 --- a/lib/srv/authhandlers.go +++ b/lib/srv/authhandlers.go @@ -468,6 +468,8 @@ func (h *AuthHandlers) UserKeyAuth(conn ssh.ConnMetadata, key ssh.PublicKey) (*s log.WarnContext(ctx, "Received unexpected cert type", "cert_type", cert.CertType) } + // Skip RBAC check for proxy or git servers. RBAC check on git servers are + // performed outside this handler. if h.isProxy() || h.c.Component == teleport.ComponentForwardingGit { return permissions, nil }