From 26f8b94e0c2c3ee9e845f4d90bae63600cdb4b27 Mon Sep 17 00:00:00 2001
From: Bartosz Leper <bartosz.leper@goteleport.com>
Date: Tue, 14 Jan 2025 13:47:47 +0100
Subject: [PATCH] Don't downgrade SSH port forwarding in roles for v18.0+
 (#50870)

---
 lib/auth/grpcserver.go      | 15 ++++++---------
 lib/auth/grpcserver_test.go |  6 +++---
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/lib/auth/grpcserver.go b/lib/auth/grpcserver.go
index bc11e52be9074..de38d262d3fe6 100644
--- a/lib/auth/grpcserver.go
+++ b/lib/auth/grpcserver.go
@@ -1995,9 +1995,7 @@ func maybeDowngradeRole(ctx context.Context, role *types.RoleV6) (*types.RoleV6,
 	return role, nil
 }
 
-var minSupportedSSHPortForwardingVersions = map[int64]semver.Version{
-	17: {Major: 17, Minor: 1, Patch: 0},
-}
+var minSupportedSSHPortForwardingVersion = semver.Version{Major: 17, Minor: 1, Patch: 0}
 
 func maybeDowngradeRoleSSHPortForwarding(role *types.RoleV6, clientVersion *semver.Version) *types.RoleV6 {
 	sshPortForwarding := role.GetOptions().SSHPortForwarding
@@ -2005,11 +2003,10 @@ func maybeDowngradeRoleSSHPortForwarding(role *types.RoleV6, clientVersion *semv
 		return role
 	}
 
-	minSupportedVersion, ok := minSupportedSSHPortForwardingVersions[clientVersion.Major]
-	if ok {
-		if supported, err := utils.MinVerWithoutPreRelease(clientVersion.String(), minSupportedVersion.String()); supported || err != nil {
-			return role
-		}
+	if supported, err := utils.MinVerWithoutPreRelease(
+		clientVersion.String(),
+		minSupportedSSHPortForwardingVersion.String()); supported || err != nil {
+		return role
 	}
 
 	role = apiutils.CloneProtoMsg(role)
@@ -2020,7 +2017,7 @@ func maybeDowngradeRoleSSHPortForwarding(role *types.RoleV6, clientVersion *semv
 	role.SetOptions(options)
 	reason := fmt.Sprintf(`Client version %q does not support granular SSH port forwarding. Role %q will be downgraded `+
 		`to simple port forwarding rules instead. In order to support granular SSH port forwarding, all clients must be `+
-		`updated to version %q or higher.`, clientVersion, role.GetName(), minSupportedVersion)
+		`updated to version %q or higher.`, clientVersion, role.GetName(), minSupportedSSHPortForwardingVersion)
 	if role.Metadata.Labels == nil {
 		role.Metadata.Labels = make(map[string]string, 1)
 	}
diff --git a/lib/auth/grpcserver_test.go b/lib/auth/grpcserver_test.go
index 8a91f952e001e..f3b2d598969fd 100644
--- a/lib/auth/grpcserver_test.go
+++ b/lib/auth/grpcserver_test.go
@@ -4678,7 +4678,7 @@ func TestRoleVersions(t *testing.T) {
 		{
 			desc: "up to date - enabled",
 			clientVersions: []string{
-				"17.1.0", "17.1.0-dev", "",
+				"17.1.0", "17.1.0-dev", "18.0.0-dev", "19.0.0", "",
 			},
 			inputRole:    enabledRole,
 			expectedRole: enabledRole,
@@ -4686,7 +4686,7 @@ func TestRoleVersions(t *testing.T) {
 		{
 			desc: "up to date - disabled",
 			clientVersions: []string{
-				"17.1.0", "17.1.0-dev", "",
+				"17.1.0", "17.1.0-dev", "18.0.0-dev", "19.0.0", "",
 			},
 			inputRole:    disabledRole,
 			expectedRole: disabledRole,
@@ -4694,7 +4694,7 @@ func TestRoleVersions(t *testing.T) {
 		{
 			desc: "up to date - undefined",
 			clientVersions: []string{
-				"17.1.0", "17.1.0-dev", "",
+				"17.1.0", "17.1.0-dev", "18.0.0-dev", "19.0.0", "",
 			},
 			inputRole:    undefinedRole,
 			expectedRole: undefinedRole,