ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-10-01 01:04:29 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix: Enable perl-tidy.sh test

Browse source 
* Move to ubuntu-20.04 runner
* Remove check in dockers tests
This commit is contained in:
Thomas SOËTE 2020-11-22 21:05:45 +00:00
parent d1ed88e296
commit 2a51a78b54
34 changed files with 95 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/tests_basic.yml vendored
View file

@ -5,7 +5,7 @@ on: [push, pull_request]
jobs:
test:
name: perlcritic, perltidy & shellcheck
runs-on: ubuntu-latest
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
- name: install prerequisites
@ -17,4 +17,4 @@ jobs:
- name: perl critic
run: bin/dev/perl-critic.sh
- name: perl tidy
run: bin/dev/perl-tidy.sh
run: bin/dev/perl-tidy.sh test

2
bin/admin/check-consistency.pl
View file

@ -269,7 +269,7 @@ sub check_file_rights {
chomp @out;
my $lineno = -1;
$expectedOutput = [sort @$expectedOutput];
@out = grep { /./ } sort @out;
@out = grep { /./ } sort @out;
foreach my $outLine (@out) {
next if not $outLine;
$lineno++;

8
bin/admin/check-ssh-hardening.pl
View file

@ -91,7 +91,7 @@ if (not $d{ciphers} or not $d{kexalgorithms} or not $d{macs}) {
}
my @myciphers = split /,/, $h{ciphers}[0];
my %ciphers = (
my %ciphers = (
"3des-cbc" => 1,
"blowfish-cbc" => 1,
"cast128-cbc" => 1,
@ -130,7 +130,7 @@ $list{'highon'} and ok "ciphers: found enabled high-grade ciphers " . join(',',
$list{'highoff'} and wrn "ciphers: found disabled high-grade ciphers " . join(',', @{$list{'highoff'}});
my @mymacs = split /,/, $h{macs}[0];
my %macs = (
my %macs = (
"hmac-sha1" => 1,
"hmac-sha1-96" => 1,
"hmac-sha2-256" => 2,
@ -179,7 +179,7 @@ $list{'highon'} and ok "macs: found enabled high-grade MACs " . join(',', @{$lis
$list{'highoff'} and wrn "macs: found disabled high-grade MACs " . join(',', @{$list{'highoff'}});
my @mykexs = split /,/, $h{kexalgorithms}[0];
my %kexs = (
my %kexs = (
"diffie-hellman-group1-sha1" => 1,
"diffie-hellman-group14-sha1" => 1,
"diffie-hellman-group-exchange-sha1" => 1,
@ -290,7 +290,7 @@ while (<$fh_myself>) {
}
close($fh_myself);
my $decoded = decode_base64(join("\n", @xz));
my $pid = open2(\*CHLD_OUT, \*CHLD_IN, 'unxz', '-c'); #TODO get rid of this call
my $pid = open2(\*CHLD_OUT, \*CHLD_IN, 'unxz', '-c'); #TODO get rid of this call
print CHLD_IN $decoded;
close(CHLD_IN);
my $rawlist;

4
bin/cron/osh-encrypt-rsync.pl
View file

@ -95,7 +95,7 @@ sub test_config {
my $gpgtest = GnuPG->new(trace => $config{'trace'});
# then, check we can encrypt to each of the recipients
my $outfile = File::Temp->new(UNLINK => 1, TMPDIR => 1);
my $outfile = File::Temp->new(UNLINK => 1, TMPDIR => 1);
my $recipientparam = $isoldversion ? $recipient : [$recipient, $recipient];
$gpgtest->encrypt(plaintext => $input . "", output => $outfile . "", recipient => $recipientparam);
if (not -s $outfile) {
@ -118,7 +118,7 @@ sub test_config {
my $gpgtest = GnuPG->new(trace => $config{'trace'});
# then, encrypt to all the recipients, sign, and check the signature
my $outfile = File::Temp->new(UNLINK => 1, TMPDIR => 1);
my $outfile = File::Temp->new(UNLINK => 1, TMPDIR => 1);
my $recipientparam = $isoldversion ? (keys %recipients_uniq)[0] : [keys %recipients_uniq];
$gpgtest->encrypt(
plaintext => $input . "",

2
bin/cron/osh-piv-grace-reaper.pl
View file

@ -52,7 +52,7 @@ foreach my $account (%{$fnret->value}) {
# we have PIV grace set for this account
my $expiry = $fnret->value;
my $human = OVH::Bastion::duration2human(seconds => ($expiry - time()))->value;
my $human = OVH::Bastion::duration2human(seconds => ($expiry - time()))->value;
_log "Account $account has PIV grace expiry set to $expiry (" . $human->{'human'} . ")";
# is PIV grace TTL expired?

3
bin/helper/osh-accountCreate
View file

@ -88,7 +88,7 @@ $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account alread
if ($type eq 'realm') {
$account = "realm_$account";
$fnret = OVH::Bastion::is_account_valid(account => $account, accountType => "realm");
$fnret = OVH::Bastion::is_account_valid(account => $account, accountType => "realm");
$fnret or HEXIT($fnret);
$fnret = OVH::Bastion::is_account_existing(account => $account, accountType => "realm");
@ -299,6 +299,7 @@ if (ref $config->{'accountCreateDefaultPersonalAccesses'} eq 'ARRAY' && $type eq
push @command, '--action', 'add';
push @command, '--account', $account;
push @command, '--ip', $ip;
if ($user) {
push @command, '--user', ($user eq 'ACCOUNT' ? $account : $user);
}

2
bin/helper/osh-accountModify
View file

@ -39,7 +39,7 @@ eval {
local $SIG{__WARN__} = sub { push @optwarns, shift };
$result = GetOptions(
"account=s" => sub { $account //= $_[1] },
"modify=s" => \@modify,
"modify=s" => \@modify,
);
};
if ($@) { die $@ }

2
bin/helper/osh-groupAddSymlinkToAccount
View file

@ -103,7 +103,7 @@ osh_debug("user -gatek or gatek");
#>CODE
my $msg;
my $prefix = $remoteaccount ? "allowed_$remoteaccount" : "allowed";
my $link = "/home/allowkeeper/$sysaccount/$prefix.ip.$shortGroup";
my $link = "/home/allowkeeper/$sysaccount/$prefix.ip.$shortGroup";
if ($action eq 'del') {
osh_debug("Going to remove symlink");
if (-l $link || -e _) {

2
bin/helper/osh-groupCreate
View file

@ -121,7 +121,7 @@ $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The account $group alread
#>PARAMS:ALGO/SIZE
if (!$no_key) {
$algo = lc($algo);
$algo = lc($algo);
$fnret = OVH::Bastion::is_allowed_algo_and_size(algo => $algo, size => $size, way => 'egress');
$fnret or HEXIT($fnret);

8
bin/plugin/open/groupList
View file

@ -31,11 +31,11 @@ $fnret or osh_exit $fnret;
my $result_hash = {};
foreach my $name (sort keys %{$fnret->value}) {
my @flags;
push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name);
push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name);
push @flags, 'gatekeeper' if OVH::Bastion::is_group_gatekeeper(group => $name);
push @flags, 'aclkeeper' if OVH::Bastion::is_group_aclkeeper(group => $name);
push @flags, 'member' if OVH::Bastion::is_group_member(group => $name);
push @flags, 'guest' if OVH::Bastion::is_group_guest(group => $name);
push @flags, 'aclkeeper' if OVH::Bastion::is_group_aclkeeper(group => $name);
push @flags, 'member' if OVH::Bastion::is_group_member(group => $name);
push @flags, 'guest' if OVH::Bastion::is_group_guest(group => $name);
if (@flags or $all) {
push @flags, 'no-access' if not @flags;
my $line = sprintf "%18s", $name;

2
bin/plugin/open/selfAddIngressKey
View file

@ -48,7 +48,7 @@ if (not defined $pubKey) {
$fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
$fnret or osh_exit $fnret;
my @algoList = @{$fnret->value};
my $algos = join(' ', @algoList);
my $algos = join(' ', @algoList);
osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
if (grep { 'ed25519' eq $_ } @algoList) {
osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";

2
bin/plugin/open/selfDelIngressKey
View file

@ -48,7 +48,7 @@ my @validKeys;
foreach my $key (@{$fnret->value || []}) {
OVH::Bastion::print_public_key(key => $key, id => $key->{'index'}, err => $key->{'err'});
$allowedLines{$key->{'index'}} = 1;
$allowedLines{$key->{'index'}} = 1;
$allowedFingerprints{$key->{'fingerprint'}} = $key->{'index'} if (OVH::Bastion::is_valid_fingerprint(fingerprint => $key->{'fingerprint'}));
push @validKeys, $key->{'index'} if $key->{'err'} eq 'OK';
}

2
bin/plugin/open/selfGenerateEgressKey
View file

@ -82,7 +82,7 @@ if (not $ok) {
osh_exit 'ERR_INVALID_ALGORITHM', "Only the following list of algorithms is allowed: " . join(' ', @algoList);
}
$size = 256 if (not $size and $algo eq 'ed25519');
$size = 256 if (not $size and $algo eq 'ed25519');
$fnret = OVH::Bastion::is_allowed_algo_and_size(algo => $algo, size => $size, way => 'egress');
$fnret or osh_exit $fnret;

14
bin/plugin/open/selfPlaySession
View file

@ -63,13 +63,13 @@ else {
$r->{params} = undef if ($r->{cmdtype} ne 'osh');
$r->{returnvalue} = $r->{comment} if $r->{returnvalue} < 0;
osh_info sprintf "%8s: %s\n", "ID", $r->{uniqid};
osh_info sprintf "%8s: %s\n", "Started", POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestamp}));
osh_info sprintf "%8s: %s\n", "Ended", $r->{timestampend} ? POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestampend})) : 'n/a';
osh_info sprintf "%8s: %s\n", "Duration", $delay;
osh_info sprintf "%8s: %s\n", "Type", $r->{'cmdtype'} . ($r->{'plugin'} ? '-' . $r->{'plugin'} : '') . ($r->{allowed} ? '' : '/DENIED');
osh_info sprintf "%8s: %s:%s (%s)\n", "From", $r->{'ipfrom'}, $r->{'portfrom'}, $r->{'hostfrom'};
osh_info sprintf "%8s: %s@%s:%s\n", "Via", $r->{'account'}, $r->{'bastionip'}, $r->{'bastionport'};
osh_info sprintf "%8s: %s\n", "ID", $r->{uniqid};
osh_info sprintf "%8s: %s\n", "Started", POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestamp}));
osh_info sprintf "%8s: %s\n", "Ended", $r->{timestampend} ? POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestampend})) : 'n/a';
osh_info sprintf "%8s: %s\n", "Duration", $delay;
osh_info sprintf "%8s: %s\n", "Type", $r->{'cmdtype'} . ($r->{'plugin'} ? '-' . $r->{'plugin'} : '') . ($r->{allowed} ? '' : '/DENIED');
osh_info sprintf "%8s: %s:%s (%s)\n", "From", $r->{'ipfrom'}, $r->{'portfrom'}, $r->{'hostfrom'};
osh_info sprintf "%8s: %s@%s:%s\n", "Via", $r->{'account'}, $r->{'bastionip'}, $r->{'bastionport'};
if ($r->{user} || $r->{ipto} || $r->{portto} || $r->{hostto}) {
osh_info sprintf "%8s: %s@%s:%s (%s)\n", "To", $r->{'user'}, $r->{'ipto'}, $r->{'portto'}, $r->{'hostto'};
}

2
bin/plugin/restricted/accountCreate
View file

@ -91,7 +91,7 @@ if (!$pubKey && !$noKey) {
$fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
$fnret or osh_exit $fnret;
my @algoList = @{$fnret->value};
my $algos = join(' ', @algoList);
my $algos = join(' ', @algoList);
osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
if (grep { 'ed25519' eq $_ } @algoList) {
osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";

2
bin/plugin/restricted/accountInfo
View file

@ -179,7 +179,7 @@ if (OVH::Bastion::is_auditor(account => $self)) {
$fnret = OVH::Bastion::account_config(account => $account, public => 1, key => OVH::Bastion::OPT_ACCOUNT_INGRESS_PIV_GRACE);
if ($fnret && $fnret->value > time()) {
my $expiry = $fnret->value - time();
my $human = OVH::Bastion::duration2human(seconds => $expiry)->value;
my $human = OVH::Bastion::duration2human(seconds => $expiry)->value;
osh_info "PIV grace period for this account is " . colored('set', 'green') . " and expires in " . $human->{'human'};
$ret{'ingress_piv_grace'} = {
enabled => 1,

2
bin/plugin/restricted/groupCreate
View file

@ -101,7 +101,7 @@ my $shortGroup = $fnret->value->{'shortGroup'};
# check if algo is supported by system
if ($algo) {
$algo = lc($algo);
$algo = lc($algo);
$fnret = OVH::Bastion::is_allowed_algo_and_size(algo => $algo, size => $size, way => 'egress');
$fnret or osh_exit $fnret;
}

2
bin/plugin/restricted/realmCreate
View file

@ -60,7 +60,7 @@ if (!$pubKey) {
$fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
$fnret or osh_exit $fnret;
my @algoList = @{$fnret->value};
my $algos = join(' ', @algoList);
my $algos = join(' ', @algoList);
osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
if (grep { 'ed25519' eq $_ } @algoList) {
osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";

2
bin/plugin/restricted/realmDelete
View file

@ -39,7 +39,7 @@ if (!$wantedRealm) {
my $pristineRealm = $wantedRealm;
$wantedRealm = "realm_$wantedRealm";
$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $wantedRealm, accountType => "realm");
$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $wantedRealm, accountType => "realm");
$fnret or osh_exit $fnret;
$wantedRealm = $fnret->value->{'account'}; # untaint

2
bin/proxy/osh-http-proxy-daemon
View file

@ -82,7 +82,7 @@ OVH::Bastion::ProxyHTTP->new()->run(
timeout_idle => 3600,
proxy_config => {
insecure => $config->{'insecure'} ? 1 : 0,
timeout => $config->{'timeout'}, # our worker will wait for up to this amount of time for the egress connection to complete
timeout => $config->{'timeout'}, # our worker will wait for up to this amount of time for the egress connection to complete
},
) or die "Proxy launch failed!";

24
bin/proxy/osh-http-proxy-worker
View file

@ -287,13 +287,13 @@ $req->header('Accept-Encoding' => scalar HTTP::Message::decodable());
$req->header('Authorization', 'Basic ' . encode_base64($user . ':' . $device_password, ''));
undef $device_password; # no longer needed
$req->header('X-Bastion-Auth-Mode', $authmode);
$req->header('X-Bastion-Ingress-Client-IP', $ENV{'REMOTE_ADDR'});
$req->header('X-Bastion-Ingress-Client-Port', $ENV{'REMOTE_PORT'});
$req->header('X-Bastion-Auth-Mode', $authmode);
$req->header('X-Bastion-Ingress-Client-IP', $ENV{'REMOTE_ADDR'});
$req->header('X-Bastion-Ingress-Client-Port', $ENV{'REMOTE_PORT'});
$req->header('X-Bastion-Ingress-Client-User-Agent', $ENV{'HTTP_USER_AGENT'});
$req->header('X-Bastion-Ingress-Account', $account);
$req->header('X-Bastion-UniqID', $uniqid);
$req->header('X-Bastion-Instance', Sys::Hostname::hostname());
$req->header('X-Bastion-Ingress-Account', $account);
$req->header('X-Bastion-UniqID', $uniqid);
$req->header('X-Bastion-Instance', Sys::Hostname::hostname());
my $start_time = [Time::HiRes::gettimeofday()];
@ -392,11 +392,11 @@ my @now = Time::HiRes::gettimeofday();
my @t = localtime($now[0]);
my $headers_as_string = $res ? join("", $res->{'_headers'}->as_string("\n")) : '';
my $logfile = sprintf("%s/%s.txt", $finaldir, POSIX::strftime("%F", @t));
my $logline = sprintf(
"--- BASTION_REQUEST UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n".
"--- DEVICE_ANSWER UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n".
"--- END UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n\n",
my $logfile = sprintf("%s/%s.txt", $finaldir, POSIX::strftime("%F", @t));
my $logline = sprintf(
"--- BASTION_REQUEST UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n"
. "--- DEVICE_ANSWER UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n"
. "--- END UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n\n",
$uniqid, $now[0], $now[1], POSIX::strftime("%Y/%m/%d.%H:%M:%S", @t), $req->as_string(),
$uniqid, $now[0], $now[1], POSIX::strftime("%Y/%m/%d.%H:%M:%S", @t),
($res ? sprintf("%s %s\n%s\n%s", $res->protocol, $res->status_line, $headers_as_string, $res->decoded_content) : '(DEVICE TIMEOUT)'),
@ -422,7 +422,7 @@ if ($res) {
}
}
push @headers, ["X-Bastion-Local-Status" => ($res ? "200 OK" : "504 Device Timeout")];
push @headers, ["X-Bastion-Remote-Status" => $res->code] if $res;
push @headers, ["X-Bastion-Remote-Status" => $res->code] if $res;
push @headers, ["X-Bastion-Remote-Server" => $res->header('server')] if ($res && $res->header('server'));
push @headers, ["X-Bastion-Egress-Timing" => sprintf("%d", $delay * 1_000_000)];
push @headers, ["X-Bastion-Downgraded" => 1] if $downgraded;

5
bin/shell/osh.pl
View file

@ -111,7 +111,7 @@ my $osh_debug = $config->{'debug'};
# and the real remote account name (which doesn't have an account here because it's from another realm)
# is passed through LC_BASTION
if ($self =~ /^realm_([a-zA-Z0-9_.-]+)/) {
$self = sprintf("%s/%s", $1, $ENV{'LC_BASTION'});
$self = sprintf("%s/%s", $1, $ENV{'LC_BASTION'});
$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $self, realmOnly => 1);
$fnret or main_exit(OVH::Bastion::EXIT_ACCOUNT_INVALID, "account_invalid", "The realm-scoped account '$self' is invalid (" . $fnret->msg . ")");
}
@ -203,7 +203,7 @@ my $lastlog_filepath = $fnret->value->{'filepath'};
my $lastlogmsg = sprintf("Welcome to $bastionName, $self, this is your first connection");
if ($fnret && $fnret->value && $fnret->value->{'seconds'}) {
my $lastloginfo = $fnret->value->{'info'} ? " from " . $fnret->value->{'info'} : "";
$fnret = OVH::Bastion::duration2human(seconds => $fnret->value->{'seconds'}, tense => "past");
$fnret = OVH::Bastion::duration2human(seconds => $fnret->value->{'seconds'}, tense => "past");
$lastlogmsg = sprintf("Welcome to $bastionName, $self, your last login was %s ago (%s)%s", $fnret->value->{'duration'}, $fnret->value->{'date'}, $lastloginfo);
}
@ -644,6 +644,7 @@ my $isMfaPasswordRequired = OVH::Bastion::is_user_in_group(account => $sysself
my $hasMfaPasswordBypass = OVH::Bastion::is_user_in_group(account => $sysself, group => OVH::Bastion::MFA_PASSWORD_BYPASS_GROUP);
my $isMfaTOTPRequired = OVH::Bastion::is_user_in_group(account => $sysself, group => OVH::Bastion::MFA_TOTP_REQUIRED_GROUP);
my $hasMfaTOTPBypass = OVH::Bastion::is_user_in_group(account => $sysself, group => OVH::Bastion::MFA_TOTP_BYPASS_GROUP);
if ($mfaPolicy ne 'disabled' && !grep { $osh_command eq $_ } qw{ selfMFASetupPassword selfMFASetupTOTP help info }) {
if (($mfaPolicy eq 'password-required' && !$hasMfaPasswordBypass) || $isMfaPasswordRequired) {

16
lib/perl/OVH/Bastion.pm
View file

@ -178,7 +178,7 @@ sub is_account_nonexpired {
my $isFirstLogin;
my $lastlog;
my $filepath = "/home/$sysaccount/lastlog" . ($remoteaccount ? "_$remoteaccount" : "");
my $value = {filepath => $filepath};
my $value = {filepath => $filepath};
if (-e $filepath) {
$isFirstLogin = 0;
$lastlog = (stat(_))[9];
@ -230,7 +230,7 @@ sub is_account_nonexpired {
if ($accountMaxInactiveDays == 0) {
# no expiration configured, allow login and return some info
return R('OK_FIRST_LOGIN', value => $value) if $isFirstLogin;
return R('OK_FIRST_LOGIN', value => $value) if $isFirstLogin;
return R('OK_EXPIRATION_NOT_CONFIGURED', value => $value);
}
else {
@ -360,8 +360,8 @@ sub osh_header {
my $versionline = 'the-bastion-' . $VERSION;
my $output = '';
$output .= colored('---' . $hostname . '-' x (80 - length($hostname) - length($versionline) - 6) . "$versionline---" . "\n", 'bold blue');
$output .= colored("=> $text\n", "blue");
$output .= colored('-' x 80 . "\n", 'blue');
$output .= colored("=> $text\n", "blue");
$output .= colored('-' x 80 . "\n", 'blue');
print $output unless ($ENV{'PLUGIN_QUIET'});
return;
@ -857,10 +857,10 @@ sub build_ttyrec_cmdline {
my $bastionName = OVH::Bastion::config('bastionName')->value;
my $ttyrecFilenameFormat = OVH::Bastion::config('ttyrecFilenameFormat')->value;
$ttyrecFilenameFormat =~ s/&bastionname/$bastionName/g;
$ttyrecFilenameFormat =~ s/&uniqid/$params{'uniqid'}/g if $params{'uniqid'};
$ttyrecFilenameFormat =~ s/&ip/$params{'ip'}/g if $params{'ip'};
$ttyrecFilenameFormat =~ s/&port/$params{'port'}/g if $params{'port'};
$ttyrecFilenameFormat =~ s/&user/$params{'user'}/g if $params{'user'};
$ttyrecFilenameFormat =~ s/&uniqid/$params{'uniqid'}/g if $params{'uniqid'};
$ttyrecFilenameFormat =~ s/&ip/$params{'ip'}/g if $params{'ip'};
$ttyrecFilenameFormat =~ s/&port/$params{'port'}/g if $params{'port'};
$ttyrecFilenameFormat =~ s/&user/$params{'user'}/g if $params{'user'};
$ttyrecFilenameFormat =~ s/&account/$params{'account'}/g if $params{'account'};
if ($ttyrecFilenameFormat =~ /&(bastionname|uniqid|ip|port|user|account)/) {

5
lib/perl/OVH/Bastion/Plugin/groupSetRole.pm
View file

@ -95,7 +95,7 @@ sub preconditions {
my $neededright = 'unknown';
if (grep { $type eq $_ } qw{ owner gatekeeper aclkeeper }) {
$neededright = "owner";
$fnret = OVH::Bastion::is_group_owner(account => $self, group => $shortGroup, superowner => 1, sudo => $sudo);
$fnret = OVH::Bastion::is_group_owner(account => $self, group => $shortGroup, superowner => 1, sudo => $sudo);
if (!$fnret) {
osh_debug("user $self not an owner of $shortGroup");
return R('ERR_NOT_GROUP_OWNER', msg => "Sorry, you're not an owner of group $shortGroup, which is needed to change its $type list");
@ -108,7 +108,7 @@ sub preconditions {
}
elsif (grep { $type eq $_ } qw{ member guest }) {
$neededright = "gatekeeper";
$fnret = OVH::Bastion::is_group_gatekeeper(account => $self, group => $shortGroup, superowner => 1, sudo => $sudo);
$fnret = OVH::Bastion::is_group_gatekeeper(account => $self, group => $shortGroup, superowner => 1, sudo => $sudo);
if (!$fnret) {
osh_debug("user $self not a gk of $shortGroup");
return R('ERR_NOT_GROUP_GATEKEEPER', msg => "Sorry, you're not a gatekeeper of group $shortGroup, which is needed to change its $type list");
@ -171,6 +171,7 @@ sub act {
push @command, '--action', $action;
$fnret = OVH::Bastion::helper(cmd => \@command);
$fnret or return $fnret;
if ($fnret->err eq 'OK_NO_CHANGE') {
# make the error msg user friendly

9
lib/perl/OVH/Bastion/ProxyHTTP.pm
View file

@ -117,7 +117,7 @@ sub log_and_exit {
my $basedir = "/home/proxyhttp/ttyrec";
-d $basedir || mkdir $basedir;
my $srcip = 'src_' . ($ENV{'REMOTE_ADDR'} || '0.0.0.0');
my $srcip = 'src_' . ($ENV{'REMOTE_ADDR'} || '0.0.0.0');
my $finaldir = "$basedir/$srcip";
-d $finaldir || mkdir $finaldir;
@ -174,7 +174,7 @@ sub configure_hook { ## no critic (RequireFinalReturn)
$self->{'server'}{'log_function'} = sub {
my ($level, $msg) = @_;
warn_syslog("osh-http-proxy-daemon: level $level: $msg");
}
}
}
# overrides parent func
@ -301,7 +301,7 @@ sub process_http_request {
}
my ($account, $user_expression, $remotemachine, $remoteport) = ($1, $2, $3, $5); ## no critic (ProhibitCaptureWithoutTest)
undef $loginpart; # no longer needed
$remoteport = 443 if not defined $remoteport;
$remoteport = 443 if not defined $remoteport;
$self->{'_log'}{'hostto'} = $remotemachine;
$self->{'_log'}{'portto'} = $remoteport;
@ -399,7 +399,8 @@ sub process_http_request {
push @cmd, "--group", $group if $group;
push @cmd, "--timeout", $timeout if $timeout;
push @cmd, "--allow-downgrade" if $allow_downgrade;
push @cmd, "--insecure" if ($self->{'proxy_config'}{'insecure'} && !$enforce_secure);
push @cmd, "--insecure" if ($self->{'proxy_config'}{'insecure'} && !$enforce_secure);
foreach my $key (qw{ accept content-type connection }) {
push @cmd, "--header", $key . ':' . $req_headers->{$key} if (defined $req_headers->{$key});
}

6
lib/perl/OVH/Bastion/allowdeny.inc
View file

@ -506,7 +506,7 @@ sub print_acls {
my $addedDate = $entry->{'addedDate'} || '(unknown)';
$addedDate = substr($addedDate, 0, 10);
my $forceKey = $entry->{'forceKey'} || '-';
my $expiry = $entry->{'expiry'} ? (duration2human(seconds => ($entry->{'expiry'} - time()))->value->{'human'}) : '-';
my $expiry = $entry->{'expiry'} ? (duration2human(seconds => ($entry->{'expiry'} - time()))->value->{'human'}) : '-';
# type => member ('full'), guest ('partial'), personal or legacy
my $ipReverse = OVH::Bastion::ip2host($entry->{'ip'})->value if $reverse;
@ -726,11 +726,11 @@ sub is_access_granted {
undef $fnret;
my $mfaFnret;
if ($access->{'type'} =~ /^group/ and $access->{'group'}) {
$fnret = OVH::Bastion::get_group_keys(group => $access->{'group'}, listOnly => $listOnly, noexec => $noexec, forceKey => $access->{'forceKey'});
$fnret = OVH::Bastion::get_group_keys(group => $access->{'group'}, listOnly => $listOnly, noexec => $noexec, forceKey => $access->{'forceKey'});
$mfaFnret = OVH::Bastion::group_config(key => "mfa_required", group => $access->{'group'});
}
elsif ($access->{'type'} =~ /^personal/) {
$fnret = OVH::Bastion::get_personal_account_keys(account => $sysaccount, listOnly => $listOnly, noexec => $noexec, forceKey => $access->{'forceKey'});
$fnret = OVH::Bastion::get_personal_account_keys(account => $sysaccount, listOnly => $listOnly, noexec => $noexec, forceKey => $access->{'forceKey'});
$mfaFnret = OVH::Bastion::account_config(key => "personal_egress_mfa_required", account => $sysaccount);
}
else {

4
lib/perl/OVH/Bastion/allowkeeper.inc
View file

@ -95,8 +95,8 @@ sub get_next_available_uid {
last if not scalar(getpwuid($next));
$next--;
}
return R('OK', value => $next) if not scalar(getpwuid($next));
return R('ERR_UID_COLLISION', msg => "No available UID in the allowed range");
return R('OK', value => $next) if not scalar(getpwuid($next));
return R('ERR_UID_COLLISION', msg => "No available UID in the allowed range");
}
sub is_bastion_account_valid_and_existing {

20
lib/perl/OVH/Bastion/configuration.inc
View file

@ -175,17 +175,17 @@ sub load_configuration {
$C->{'interactiveModeTimeout'} = 15
if (not defined $C->{'interactiveModeTimeout'} or $C->{'interactiveModeTimeout'} !~ /^\d+$/);
$C->{'syslogFacility'} = 'local7' if (not defined $C->{'syslogFacility'} or $C->{'syslogFacility'} !~ /^\S+$/);
$C->{'syslogFacility'} = 'local7' if (not defined $C->{'syslogFacility'} or $C->{'syslogFacility'} !~ /^\S+$/);
$C->{'syslogDescription'} = 'bastion' if (not defined $C->{'syslogDescription'} or $C->{'syslogDescription'} !~ /^\S+$/);
$C->{'moshTimeoutNetwork'} = 86400 if (not defined $C->{'moshTimeoutNetwork'} or $C->{'moshTimeoutNetwork'} !~ /^\d+$/);
$C->{'moshTimeoutSignal'} = 30 if (not defined $C->{'moshTimeoutSignal'} or $C->{'moshTimeoutSignal'} !~ /^\d+$/);
$C->{'moshTimeoutSignal'} = 30 if (not defined $C->{'moshTimeoutSignal'} or $C->{'moshTimeoutSignal'} !~ /^\d+$/);
$C->{'moshCommandLine'} = "" if (not defined $C->{'moshCommandLine'});
$C->{'ttyrecFilenameFormat'} = '%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.ttyrec' if (not $C->{'ttyrecFilenameFormat'});
$C->{'idleLockTimeout'} = 0 if (not defined $C->{'idleLockTimeout'} or $C->{'idleLockTimeout'} !~ /^\d+$/);
$C->{'idleKillTimeout'} = 0 if (not defined $C->{'idleKillTimeout'} or $C->{'idleKillTimeout'} !~ /^\d+$/);
$C->{'idleLockTimeout'} = 0 if (not defined $C->{'idleLockTimeout'} or $C->{'idleLockTimeout'} !~ /^\d+$/);
$C->{'idleKillTimeout'} = 0 if (not defined $C->{'idleKillTimeout'} or $C->{'idleKillTimeout'} !~ /^\d+$/);
$C->{'warnBeforeLockSeconds'} = 0 if (not defined $C->{'warnBeforeLockSeconds'} or $C->{'warnBeforeLockSeconds'} !~ /^\d+$/);
$C->{'warnBeforeKillSeconds'} = 0 if (not defined $C->{'warnBeforeKillSeconds'} or $C->{'warnBeforeKillSeconds'} !~ /^\d+$/);
@ -193,9 +193,9 @@ sub load_configuration {
$C->{'accountMFAPolicy'} = 'enabled';
}
$C->{'MFAPasswordInactiveDays'} = -1 if (!defined $C->{'MFAPasswordInactiveDays'} || $C->{'MFAPasswordInactiveDays'} !~ /^-\d+$/);
$C->{'MFAPasswordMinDays'} = 0 if (!defined $C->{'MFAPasswordMinDays'} || $C->{'MFAPasswordMinDays'} !~ /^-?\d+$/);
$C->{'MFAPasswordMaxDays'} = 90 if (!defined $C->{'MFAPasswordMaxDays'} || $C->{'MFAPasswordMaxDays'} !~ /^-?\d+$/);
$C->{'MFAPasswordWarnDays'} = 15 if (!defined $C->{'MFAPasswordWarnDays'} || $C->{'MFAPasswordWarnDays'} !~ /^-?\d+$/);
$C->{'MFAPasswordMinDays'} = 0 if (!defined $C->{'MFAPasswordMinDays'} || $C->{'MFAPasswordMinDays'} !~ /^-?\d+$/);
$C->{'MFAPasswordMaxDays'} = 90 if (!defined $C->{'MFAPasswordMaxDays'} || $C->{'MFAPasswordMaxDays'} !~ /^-?\d+$/);
$C->{'MFAPasswordWarnDays'} = 15 if (!defined $C->{'MFAPasswordWarnDays'} || $C->{'MFAPasswordWarnDays'} !~ /^-?\d+$/);
# if kill timeout is lower than lock timeout, just unset lock timeout
$C->{'idleLockTimeout'} = 0 if ($C->{'idleKillTimeout'} <= $C->{'idleLockTimeout'});
@ -239,7 +239,7 @@ sub load_configuration {
}
$C->{'adminAccounts'} = [
grep { OVH::Bastion::is_bastion_account_valid_and_existing(account => $_) }
map { s/[^a-zA-Z0-9_-]//g; $_ } @{$C->{'adminAccounts'}}
map { s/[^a-zA-Z0-9_-]//g; $_ } @{$C->{'adminAccounts'}}
];
$C->{'documentationURL'} ||= "https://ovh.github.io/the-bastion/";
@ -302,7 +302,7 @@ sub account_config {
if (!-d $rootdir) {
return R('ERR_DIRECTORY_NOT_FOUND', msg => "Home directory of $account ($rootdir) doesn't exist");
}
my $prefix = $remoteaccount ? "config_$remoteaccount" : "config";
my $prefix = $remoteaccount ? "config_$remoteaccount" : "config";
my $filename = "$rootdir/$prefix.$key";
if ($delete) {
@ -480,7 +480,7 @@ sub json_load {
my %params = @_;
# Check params
my $file = $params{'file'};
my $file = $params{'file'};
my $keywords = $params{'keywords'} || [];
if (!$file) {

2
lib/perl/OVH/Bastion/interactive.inc
View file

@ -182,7 +182,7 @@ EOM
while (defined(my $line = $term->readline($prompt))) {
alarm(0); # disable timeout
$line =~ s/^\s+|\s+$//g;
next if (length($line) == 0); # ignore empty lines
next if (length($line) == 0); # ignore empty lines
last if ($line eq 'exit' or $line eq 'quit' or $line eq 'q'); # break out of loop if asked
$term->addhistory($line);

2
lib/perl/OVH/Bastion/log.inc
View file

@ -358,7 +358,7 @@ sub log_access_insert {
$params{'timestamp'} = $timestamp;
$params{'timestampusec'} = $timestampusec;
my @localtime = localtime(time());
my @localtime = localtime(time());
my $sqlfile_global = sprintf("/home/logkeeper/global-log-%04d.sqlite", $localtime[5] + 1900);
my $sqlfile_account =
sprintf("/home/%s/%s-log-%04d%02d.sqlite", $params{'loghome'}, $remoteaccount || $loghome, $localtime[5] + 1900, $localtime[4] + 1);

14
lib/perl/OVH/Bastion/os.inc
View file

@ -233,9 +233,9 @@ sub sys_addmembertogroup {
}
if (is_openbsd() || is_netbsd()) {
my $fnret = OVH::Bastion::execute(cmd => ["groups", $user], must_succeed => 1);
my $fnret = OVH::Bastion::execute(cmd => ["groups", $user], must_succeed => 1);
my @stdout = @{$fnret->value->{'stdout'} || []};
my @cur = split(/ /, $stdout[0]);
my @cur = split(/ /, $stdout[0]);
return R('ERR_SYSTEM_LIMIT_REACHED') if @cur >= 16;
}
@ -351,7 +351,7 @@ sub sys_changepassword {
$stdin_str = "$user:$password";
}
elsif (is_freebsd()) {
@cmd = ('pw', 'usermod', $user, '-h', '0');
@cmd = ('pw', 'usermod', $user, '-h', '0');
$stdin_str = $password;
}
elsif (is_openbsd() || is_netbsd()) {
@ -391,7 +391,7 @@ sub sys_neutralizepassword {
my $stdin_str;
if (is_linux()) {
@cmd = ('chpasswd', '-e');
@cmd = ('chpasswd', '-e');
$stdin_str = "$user:*";
}
elsif (is_freebsd()) {
@ -492,7 +492,7 @@ sub sys_getpasswordinfo {
}
require POSIX;
$ret{'date_changed_timestamp'} = 86400 * delete($ret{'epoch_changed_days'}) + 0;
$ret{'date_changed'} = $ret{'date_changed_timestamp'} ? POSIX::strftime("%Y-%m-%d", localtime($ret{'date_changed_timestamp'})) : undef;
$ret{'date_changed'} = $ret{'date_changed_timestamp'} ? POSIX::strftime("%Y-%m-%d", localtime($ret{'date_changed_timestamp'})) : undef;
$ret{'min_days'} += 0;
$ret{'max_days'} += 0;
$ret{'max_days'} = -1 if $ret{'max_days'} >= 9999;
@ -500,7 +500,7 @@ sub sys_getpasswordinfo {
$ret{'inactive_days'} = -1 if $ret{'inactive_days'} eq '';
$ret{'inactive_days'} += 0;
$ret{'date_disabled_timestamp'} = 86400 * delete($ret{'epoch_disabled_days'}) + 0;
$ret{'date_disabled'} = $ret{'date_disabled_timestamp'} ? POSIX::strftime("%Y-%m-%d", localtime($ret{'date_disabled_timestamp'})) : undef;
$ret{'date_disabled'} = $ret{'date_disabled_timestamp'} ? POSIX::strftime("%Y-%m-%d", localtime($ret{'date_disabled_timestamp'})) : undef;
return R('OK', value => \%ret);
}
@ -553,7 +553,7 @@ sub sys_setfacl {
}
# apply the default ACL
@cmd = ('setfacl', '-d', '-m', join(',', @perms), $target);
@cmd = ('setfacl', '-d', '-m', join(',', @perms), $target);
$fnret = OVH::Bastion::execute(cmd => \@cmd, must_succeed => 1, noisy_stderr => 1);
$fnret or return R('ERR_SETFACL_FAILED_FREEBSD', msg => "Couldn't set the prerequisite default ACL");
}

2
lib/perl/OVH/Bastion/password.inc
View file

@ -16,7 +16,7 @@ sub _get_key_from_password {
my $salt = 'JPYWrLpoXcXFA46m9DUI5z02SqUd2baG';
my $iterations = 10_000;
my $hash = hmac_sha256($salt . pack('N', 0), $password);
my $hash = hmac_sha256($salt . pack('N', 0), $password);
my $result = $hash;
for my $iter (2 .. $iterations) {

8
lib/perl/OVH/Bastion/ssh.inc
View file

@ -91,7 +91,7 @@ sub get_authorized_keys_from_file {
$key->{'info'} = $info if $info;
if ($pivAttestationCertificate && $pivKeyCertificate) {
$fnret = OVH::Bastion::verify_piv(key => $key->{'line'}, attestationCertificate => $pivAttestationCertificate, keyCertificate => $pivKeyCertificate);
$key->{'isPiv'} = ($fnret ? 1 : 0);
$key->{'isPiv'} = ($fnret ? 1 : 0);
$key->{'pivInfo'} = $fnret->value if $fnret;
}
if ($includePivDisabled && $pivDisabled) {
@ -226,7 +226,7 @@ sub get_ssh_pub_key_info {
# put that in a tempfile for ssh-keygen inspection
if (not $noexec) {
my $fh = File::Temp->new(UNLINK => 1);
my $fh = File::Temp->new(UNLINK => 1);
my $filename = $fh->filename;
print {$fh} $typecode . " " . $base64;
close($fh);
@ -388,7 +388,7 @@ sub get_from_for_user_key {
# if we have a $key, modify it accordingly
if ($key) {
$key->{'prefix'} = $from;
$key->{'line'} = ($from ? $from . " " : "") . $key->{'typecode'} . " " . $key->{'base64'};
$key->{'line'} = ($from ? $from . " " : "") . $key->{'typecode'} . " " . $key->{'base64'};
$key->{'line'} .= " " . $key->{'comment'} if $key->{'comment'};
$key->{'fromList'} = \@ipListVerified;
}
@ -460,7 +460,7 @@ sub generate_ssh_key {
$fnret->err eq 'OK' or return R('ERR_SSH_KEYGEN_FAILED', msg => "Error while generating group key (" . $fnret->msg . ")");
my %files = (
$sshKeyName => ($group_readable ? 0440 : 0400),
$sshKeyName => ($group_readable ? 0440 : 0400),
$sshKeyName . '.pub' => 0444,
);
while (my ($file, $chmod) = each(%files)) {

12
tests/functional/docker/tester_role.sh
View file

@ -7,18 +7,6 @@ basedir=$(readlink -f "$(dirname "$0")"/../../..)
# shellcheck source=lib/shell/colors.inc
. "$basedir"/lib/shell/colors.inc
if [ "$TEST_QUICK" = 0 ]; then
printf '%b>>> %b <<<%b\n' "$BOLD_CYAN" "SHELL CHECK" "$NOC"
"$(dirname "$0")"/../../../bin/dev/shell-check.sh || exit 254
printf '%b>>> %b <<<%b\n' "$BOLD_CYAN" "PERL CRITIC" "$NOC"
"$(dirname "$0")"/../../../bin/dev/perl-critic.sh || exit 254
printf '%b>>> %b <<<%b\n' "$BOLD_CYAN" "PERL TIDY" "$NOC"
"$(dirname "$0")"/../../../bin/dev/perl-tidy.sh test || exit 254
fi
printf '%b>>> %b <<<%b\n' "$BOLD_CYAN" "SETTING UP KEYS" "$NOC"
base64 -d <<< "$USER_PRIVKEY_B64" > /root/user.privkey
chmod 400 /root/user.privkey