From 1b8adf2165bfd21e0c685c120f2d83ba9bd602ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?=
 <stephane.lesimple+bastion@ovhcloud.com>
Date: Fri, 2 Jun 2023 12:09:32 +0000
Subject: [PATCH] enh: add config validator for *addPersonalAccess plugins

---
 .../Plugin/accountAddPersonalAccess.pm        |  9 +++++
 .../OVH/Bastion/Plugin/addPersonalAccess.pm   | 38 +++++++++++++++++++
 .../Bastion/Plugin/selfAddPersonalAccess.pm   |  9 +++++
 lib/perl/OVH/Bastion/configuration.inc        |  7 +++-
 tests/functional/tests.d/340-selfaccesses.sh  |  9 ++++-
 tests/functional/tests.d/350-groups.sh        |  2 +-
 6 files changed, 71 insertions(+), 3 deletions(-)
 create mode 100644 lib/perl/OVH/Bastion/Plugin/accountAddPersonalAccess.pm
 create mode 100644 lib/perl/OVH/Bastion/Plugin/addPersonalAccess.pm
 create mode 100644 lib/perl/OVH/Bastion/Plugin/selfAddPersonalAccess.pm

diff --git a/lib/perl/OVH/Bastion/Plugin/accountAddPersonalAccess.pm b/lib/perl/OVH/Bastion/Plugin/accountAddPersonalAccess.pm
new file mode 100644
index 0000000..8c77e47
--- /dev/null
+++ b/lib/perl/OVH/Bastion/Plugin/accountAddPersonalAccess.pm
@@ -0,0 +1,9 @@
+package OVH::Bastion::Plugin::accountAddPersonalAccess;
+# vim: set filetype=perl ts=4 sw=4 sts=4 et:
+use common::sense;
+
+require OVH::Bastion::Plugin::addPersonalAccess;
+
+*validate_config = \&OVH::Bastion::Plugin::addPersonalAccess::validate_config;
+
+1;
diff --git a/lib/perl/OVH/Bastion/Plugin/addPersonalAccess.pm b/lib/perl/OVH/Bastion/Plugin/addPersonalAccess.pm
new file mode 100644
index 0000000..94b7383
--- /dev/null
+++ b/lib/perl/OVH/Bastion/Plugin/addPersonalAccess.pm
@@ -0,0 +1,38 @@
+package OVH::Bastion::Plugin::addPersonalAccess;
+# vim: set filetype=perl ts=4 sw=4 sts=4 et:
+use common::sense;
+
+use File::Basename;
+use lib dirname(__FILE__) . '/../../../../../lib/perl';
+use OVH::Result;
+use OVH::Bastion;
+
+sub validate_config {
+    my %params = @_;
+    my $config = $params{'config'};
+
+    if (!$config) {
+        return R('ERR_MISSING_PARAMETER', msg => "Missing config parameter");
+    }
+
+    if (ref $config ne 'HASH') {
+        return R('ERR_INVALID_PARAMETER', msg => "The config parameter is not a hash");
+    }
+
+    my $widestV4Prefix = $config->{'widest_v4_prefix'};
+    if (defined $widestV4Prefix) {
+        if ($widestV4Prefix =~ /([0-9]+)/) {
+            $widestV4Prefix = $1;
+        }
+        if ($widestV4Prefix > 32 || $widestV4Prefix < 0) {
+            warn_syslog("Invalid value '$widestV4Prefix' for widest_v4_prefix of selfAddPersonalAccess");
+            return R('ERR_CONFIGURATION_ERROR',
+                msg => "This plugin has a configuration error, please report to your nearest sysadmin");
+        }
+        $config->{'widest_v4_prefix'} = $widestV4Prefix;
+    }
+
+    return R('OK', value => $config);
+}
+
+1;
diff --git a/lib/perl/OVH/Bastion/Plugin/selfAddPersonalAccess.pm b/lib/perl/OVH/Bastion/Plugin/selfAddPersonalAccess.pm
new file mode 100644
index 0000000..ec1d151
--- /dev/null
+++ b/lib/perl/OVH/Bastion/Plugin/selfAddPersonalAccess.pm
@@ -0,0 +1,9 @@
+package OVH::Bastion::Plugin::selfAddPersonalAccess;
+# vim: set filetype=perl ts=4 sw=4 sts=4 et:
+use common::sense;
+
+require OVH::Bastion::Plugin::addPersonalAccess;
+
+*validate_config = \&OVH::Bastion::Plugin::addPersonalAccess::validate_config;
+
+1;
diff --git a/lib/perl/OVH/Bastion/configuration.inc b/lib/perl/OVH/Bastion/configuration.inc
index 947f270..075427c 100644
--- a/lib/perl/OVH/Bastion/configuration.inc
+++ b/lib/perl/OVH/Bastion/configuration.inc
@@ -812,8 +812,9 @@ sub plugin_config {
 
             # do we have a config validator for this plugin?
             ## no critic(Modules::RequireBarewordIncludes)
-            eval { require "OVH::Bastion::Plugin::$plugin"; };
+            eval { require "OVH/Bastion/Plugin/$plugin.pm"; };
             if (!$@) {
+                osh_debug("We have a config validator for $plugin");
                 my $validator = "OVH::Bastion::Plugin::${plugin}::validate_config";
                 $fnret = $validator->(config => \%config);
                 if (!$fnret || !$fnret->value) {
@@ -821,6 +822,10 @@ sub plugin_config {
                     return R('ERR_INVALID_CONFIGURATION', msg => "Plugin configuration is invalid");
                 }
                 %config = %{$fnret->value};
+                osh_debug("Configuration for $plugin is valid");
+            }
+            else {
+                osh_debug("We don't have a config validator for $plugin ($@)");
             }
         }
         else {
diff --git a/tests/functional/tests.d/340-selfaccesses.sh b/tests/functional/tests.d/340-selfaccesses.sh
index e0a2d02..0388a54 100644
--- a/tests/functional/tests.d/340-selfaccesses.sh
+++ b/tests/functional/tests.d/340-selfaccesses.sh
@@ -122,7 +122,14 @@ testsuite_selfaccesses()
     json .command   selfAddPersonalAccess .error_code   OK_NO_CHANGE .value null
 
     # test selfAddPersonalAccess config items
-    success selfAddPersonalAccess_setconfig1 $r0 "echo '\{\\\"self_remote_user_only\\\":true\,\\\"widest_v4_prefix\\\":30\}' \> $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf \; chmod o+r $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf"
+    success selfAddPersonalAccess_setconfig_invalid $r0 "echo '\{\\\"self_remote_user_only\\\":true\,\\\"widest_v4_prefix\\\":99\}' \> $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf \; chmod o+r $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf"
+
+    run selfAddPersonalAccess_invalid_config $a0 --osh selfAddPersonalAccess --host 127.0.0.9 --user-any --port-any
+    retvalshouldbe 106
+    json .error_code KO_PLUGIN_DISABLED
+    contain "configuration error"
+
+    success selfAddPersonalAccess_setconfig_valid $r0 "echo '\{\\\"self_remote_user_only\\\":true\,\\\"widest_v4_prefix\\\":30\}' \> $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf \; chmod o+r $opt_remote_etc_bastion/plugin.selfAddPersonalAccess.conf"
 
     plgfail selfAddPersonalAccess_self_remote_user_only $a0 --osh selfAddPersonalAccess --host 127.0.0.9 --user notme --port-any
     json .error_code ERR_INVALID_PARAMETER
diff --git a/tests/functional/tests.d/350-groups.sh b/tests/functional/tests.d/350-groups.sh
index 1e253d7..3cc6701 100644
--- a/tests/functional/tests.d/350-groups.sh
+++ b/tests/functional/tests.d/350-groups.sh
@@ -141,7 +141,7 @@ EOS
     # now that we have several keys, take the opportunity to test force-key
 
     plgfail a1_add_access_force_key_and_pwd_g1 $a1 --osh groupAddServer --host 127.1.2.3 --user-any --port-any --force --force-password '$1$2$3456' --force-key "$key1fp" --group $group1
-    .error_code ERR_CONFLICTING_PARAMETERS
+    json .error_code ERR_CONFLICTING_PARAMETERS
 
     success a1_add_access_force_key_g1 $a1 --osh groupAddServer --host 127.1.2.3 --user-any --port-any --force --force-key "$key1fp" --group $group1