Skip to content

[v18] Fixes possible collisions when hashing immutable labels#63981

Merged
eriktate merged 1 commit intobranch/v18from
eriktate/backport-63733-branch/v18
Feb 20, 2026
Merged

[v18] Fixes possible collisions when hashing immutable labels#63981
eriktate merged 1 commit intobranch/v18from
eriktate/backport-63733-branch/v18

Conversation

@eriktate
Copy link
Contributor

@eriktate eriktate commented Feb 19, 2026
edited
Loading

Backports #63733 to branch/v18

Manual testing

  • Provision a scoped token assigning immutable labels: tctl scoped tokens add --type=node --scope=/local --assign-scope=/local --ssh-labels=aaa=bbbcccddd
  • Confirm nodes are still able to join and heartbeat with immutable labels
  • Restart the node and confirm it retains its immutable labels and heartbeats are successful
  • Stop the node and modify the immutable labels in process storage to be:
{
  "immutable_labels": {
    "ssh": {
      "aaa": "bbb",
      "ccc": "ddd"
    }
  }
}
  • Restart the node and confirm it fails to register its inventory control stream with an auth error complaining about immutable labels not matching the cert's label hash

@github-actions github-actions bot requested review from cthach and nklaassen February 19, 2026 16:46
@eriktate eriktate added the scopes Work related to scoped access (RFD 229). label Feb 19, 2026
@eriktate eriktate added the no-changelog Indicates that a PR does not require a changelog entry label Feb 19, 2026
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from cthach February 19, 2026 23:54
@eriktate eriktate force-pushed the eriktate/backport-63733-branch/v18 branch from 6b2395c to ecb393b Compare February 20, 2026 22:30
@eriktate
Fixes possible collisions when hashing immutable labels (#63733)
416ed37 
* fixing possibility of collisions when hashing immutable labels

* reworking to also handle collisions between service types and single label collisions

* adding known-good hash regression tests

* adding fuzz test
@eriktate eriktate force-pushed the eriktate/backport-63733-branch/v18 branch from ecb393b to 416ed37 Compare February 20, 2026 22:31
@eriktate eriktate added this pull request to the merge queue Feb 20, 2026
Merged via the queue into branch/v18 with commit b36438e Feb 20, 2026
39 checks passed
@eriktate eriktate deleted the eriktate/backport-63733-branch/v18 branch February 20, 2026 23:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nklaassen nklaassen nklaassen approved these changes

@fspmarshall fspmarshall fspmarshall approved these changes

Assignees

No one assigned

Labels

backport no-changelog Indicates that a PR does not require a changelog entry scopes Work related to scoped access (RFD 229). size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eriktate @nklaassen @fspmarshall