From 5f4419c404d3364b5b4de34ba6df583f5269b5fc Mon Sep 17 00:00:00 2001 From: Bernard Kim Date: Tue, 21 Jan 2025 17:19:58 -0800 Subject: [PATCH] Verify subscription id matches (#51085) --- lib/auth/join_azure.go | 3 +++ lib/auth/join_azure_test.go | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/lib/auth/join_azure.go b/lib/auth/join_azure.go index 7d9fbd7720b9d..ff373543aa707 100644 --- a/lib/auth/join_azure.go +++ b/lib/auth/join_azure.go @@ -289,6 +289,9 @@ func verifyVMIdentity( // from the VM resource. vmSubscription, vmResourceGroup, err := claimsToIdentifiers(tokenClaims) if err == nil { + if subscriptionID != vmSubscription { + return nil, trace.AccessDenied("subscription ID mismatch between attested data and access token") + } return azureJoinToAttrs(vmSubscription, vmResourceGroup), nil } log.WithError(err).Warn("Failed to parse VM identifiers from claims. Retrying with Azure VM API.") diff --git a/lib/auth/join_azure_test.go b/lib/auth/join_azure_test.go index 045a2b974e5a8..29b4d0e483db9 100644 --- a/lib/auth/join_azure_test.go +++ b/lib/auth/join_azure_test.go @@ -754,6 +754,28 @@ func TestAuth_RegisterUsingAzureClaims(t *testing.T) { certs: []*x509.Certificate{tlsConfig.Certificate}, assertError: require.NoError, }, + { + name: "subscription mismatch between attestation and token", + requestTokenName: "test-token", + tokenSubscription: "attested-subscription", + tokenVMID: defaultVMID, + tokenManagedIdentityResourceID: vmResourceID("token-subscription", defaultResourceGroup, defaultVMName), + tokenSpec: types.ProvisionTokenSpecV2{ + Roles: []types.SystemRole{types.RoleNode}, + Azure: &types.ProvisionTokenSpecV2Azure{ + Allow: []*types.ProvisionTokenSpecV2Azure_Rule{ + { + Subscription: "token-subscription", + ResourceGroups: []string{defaultResourceGroup}, + }, + }, + }, + JoinMethod: types.JoinMethodAzure, + }, + verify: mockVerifyToken(nil), + certs: []*x509.Certificate{tlsConfig.Certificate}, + assertError: isAccessDenied, + }, } for _, tc := range tests {