enh: add config validator for *addPersonalAccess plugins

This commit is contained in:
Stéphane Lesimple 2023-06-02 12:09:32 +00:00
parent 340ebd0bec
commit 1b8adf2165
No known key found for this signature in database
GPG key ID: 4B4A3289E9D35658
6 changed files with 71 additions and 3 deletions

View file

@ -0,0 +1,9 @@
package OVH::Bastion::Plugin::accountAddPersonalAccess;
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
require OVH::Bastion::Plugin::addPersonalAccess;
*validate_config = \&OVH::Bastion::Plugin::addPersonalAccess::validate_config;
1;

View file

@ -0,0 +1,38 @@
package OVH::Bastion::Plugin::addPersonalAccess;
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use File::Basename;
use lib dirname(__FILE__) . '/../../../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
sub validate_config {
my %params = @_;
my $config = $params{'config'};
if (!$config) {
return R('ERR_MISSING_PARAMETER', msg => "Missing config parameter");
}
if (ref $config ne 'HASH') {
return R('ERR_INVALID_PARAMETER', msg => "The config parameter is not a hash");
}
my $widestV4Prefix = $config->{'widest_v4_prefix'};
if (defined $widestV4Prefix) {
if ($widestV4Prefix =~ /([0-9]+)/) {
$widestV4Prefix = $1;
}
if ($widestV4Prefix > 32 || $widestV4Prefix < 0) {
warn_syslog("Invalid value '$widestV4Prefix' for widest_v4_prefix of selfAddPersonalAccess");
return R('ERR_CONFIGURATION_ERROR',
msg => "This plugin has a configuration error, please report to your nearest sysadmin");
}
$config->{'widest_v4_prefix'} = $widestV4Prefix;
}
return R('OK', value => $config);
}
1;

View file

@ -0,0 +1,9 @@
package OVH::Bastion::Plugin::selfAddPersonalAccess;
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
require OVH::Bastion::Plugin::addPersonalAccess;
*validate_config = \&OVH::Bastion::Plugin::addPersonalAccess::validate_config;
1;

View file

@ -812,8 +812,9 @@ sub plugin_config {
# do we have a config validator for this plugin?
## no critic(Modules::RequireBarewordIncludes)
eval { require "OVH::Bastion::Plugin::$plugin"; };
eval { require "OVH/Bastion/Plugin/$plugin.pm"; };
if (!$@) {
osh_debug("We have a config validator for $plugin");
my $validator = "OVH::Bastion::Plugin::${plugin}::validate_config";
$fnret = $validator->(config => \%config);
if (!$fnret || !$fnret->value) {
@ -821,6 +822,10 @@ sub plugin_config {
return R('ERR_INVALID_CONFIGURATION', msg => "Plugin configuration is invalid");
}
%config = %{$fnret->value};
osh_debug("Configuration for $plugin is valid");
}
else {
osh_debug("We don't have a config validator for $plugin ($@)");
}
}
else {

View file

@ -122,7 +122,14 @@ testsuite_selfaccesses()
json .command selfAddPersonalAccess .error_code OK_NO_CHANGE .value null
# test selfAddPersonalAccess config items
success selfAddPersonalAccess_setconfig1 $r0 "echo '\{\\\"self_remote_user_only\\\":true\,\\\"widest_v4_prefix\\\":30\}' \> $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf \; chmod o+r $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf"
success selfAddPersonalAccess_setconfig_invalid $r0 "echo '\{\\\"self_remote_user_only\\\":true\,\\\"widest_v4_prefix\\\":99\}' \> $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf \; chmod o+r $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf"
run selfAddPersonalAccess_invalid_config $a0 --osh selfAddPersonalAccess --host 127.0.0.9 --user-any --port-any
retvalshouldbe 106
json .error_code KO_PLUGIN_DISABLED
contain "configuration error"
success selfAddPersonalAccess_setconfig_valid $r0 "echo '\{\\\"self_remote_user_only\\\":true\,\\\"widest_v4_prefix\\\":30\}' \> $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf \; chmod o+r $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf"
plgfail selfAddPersonalAccess_self_remote_user_only $a0 --osh selfAddPersonalAccess --host 127.0.0.9 --user notme --port-any
json .error_code ERR_INVALID_PARAMETER

View file

@ -141,7 +141,7 @@ EOS
# now that we have several keys, take the opportunity to test force-key
plgfail a1_add_access_force_key_and_pwd_g1 $a1 --osh groupAddServer --host 127.1.2.3 --user-any --port-any --force --force-password '$1$2$3456' --force-key "$key1fp" --group $group1
.error_code ERR_CONFLICTING_PARAMETERS
json .error_code ERR_CONFLICTING_PARAMETERS
success a1_add_access_force_key_g1 $a1 --osh groupAddServer --host 127.1.2.3 --user-any --port-any --force --force-key "$key1fp" --group $group1