From 2a51a78b5403271cc36ec3fe221e36295aa0d47a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20SO=C3=8BTE?= Date: Sun, 22 Nov 2020 21:05:45 +0000 Subject: [PATCH] fix: Enable perl-tidy.sh test * Move to ubuntu-20.04 runner * Remove check in dockers tests --- .github/workflows/tests_basic.yml | 4 ++-- bin/admin/check-consistency.pl | 2 +- bin/admin/check-ssh-hardening.pl | 8 +++---- bin/cron/osh-encrypt-rsync.pl | 4 ++-- bin/cron/osh-piv-grace-reaper.pl | 2 +- bin/helper/osh-accountCreate | 3 ++- bin/helper/osh-accountModify | 2 +- bin/helper/osh-groupAddSymlinkToAccount | 2 +- bin/helper/osh-groupCreate | 2 +- bin/plugin/open/groupList | 8 +++---- bin/plugin/open/selfAddIngressKey | 2 +- bin/plugin/open/selfDelIngressKey | 2 +- bin/plugin/open/selfGenerateEgressKey | 2 +- bin/plugin/open/selfPlaySession | 14 ++++++------ bin/plugin/restricted/accountCreate | 2 +- bin/plugin/restricted/accountInfo | 2 +- bin/plugin/restricted/groupCreate | 2 +- bin/plugin/restricted/realmCreate | 2 +- bin/plugin/restricted/realmDelete | 2 +- bin/proxy/osh-http-proxy-daemon | 2 +- bin/proxy/osh-http-proxy-worker | 24 ++++++++++----------- bin/shell/osh.pl | 5 +++-- lib/perl/OVH/Bastion.pm | 16 +++++++------- lib/perl/OVH/Bastion/Plugin/groupSetRole.pm | 5 +++-- lib/perl/OVH/Bastion/ProxyHTTP.pm | 9 ++++---- lib/perl/OVH/Bastion/allowdeny.inc | 6 +++--- lib/perl/OVH/Bastion/allowkeeper.inc | 4 ++-- lib/perl/OVH/Bastion/configuration.inc | 20 ++++++++--------- lib/perl/OVH/Bastion/interactive.inc | 2 +- lib/perl/OVH/Bastion/log.inc | 2 +- lib/perl/OVH/Bastion/os.inc | 14 ++++++------ lib/perl/OVH/Bastion/password.inc | 2 +- lib/perl/OVH/Bastion/ssh.inc | 8 +++---- tests/functional/docker/tester_role.sh | 12 ----------- 34 files changed, 95 insertions(+), 103 deletions(-) diff --git a/.github/workflows/tests_basic.yml b/.github/workflows/tests_basic.yml index c3488dc..87cd11d 100644 --- a/.github/workflows/tests_basic.yml +++ b/.github/workflows/tests_basic.yml @@ -5,7 +5,7 @@ on: [push, pull_request] jobs: test: name: perlcritic, perltidy & shellcheck - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v2 - name: install prerequisites @@ -17,4 +17,4 @@ jobs: - name: perl critic run: bin/dev/perl-critic.sh - name: perl tidy - run: bin/dev/perl-tidy.sh + run: bin/dev/perl-tidy.sh test diff --git a/bin/admin/check-consistency.pl b/bin/admin/check-consistency.pl index 7e0de32..e2f5fc8 100755 --- a/bin/admin/check-consistency.pl +++ b/bin/admin/check-consistency.pl @@ -269,7 +269,7 @@ sub check_file_rights { chomp @out; my $lineno = -1; $expectedOutput = [sort @$expectedOutput]; - @out = grep { /./ } sort @out; + @out = grep { /./ } sort @out; foreach my $outLine (@out) { next if not $outLine; $lineno++; diff --git a/bin/admin/check-ssh-hardening.pl b/bin/admin/check-ssh-hardening.pl index 2ed4737..65dd580 100755 --- a/bin/admin/check-ssh-hardening.pl +++ b/bin/admin/check-ssh-hardening.pl @@ -91,7 +91,7 @@ if (not $d{ciphers} or not $d{kexalgorithms} or not $d{macs}) { } my @myciphers = split /,/, $h{ciphers}[0]; -my %ciphers = ( +my %ciphers = ( "3des-cbc" => 1, "blowfish-cbc" => 1, "cast128-cbc" => 1, @@ -130,7 +130,7 @@ $list{'highon'} and ok "ciphers: found enabled high-grade ciphers " . join(',', $list{'highoff'} and wrn "ciphers: found disabled high-grade ciphers " . join(',', @{$list{'highoff'}}); my @mymacs = split /,/, $h{macs}[0]; -my %macs = ( +my %macs = ( "hmac-sha1" => 1, "hmac-sha1-96" => 1, "hmac-sha2-256" => 2, @@ -179,7 +179,7 @@ $list{'highon'} and ok "macs: found enabled high-grade MACs " . join(',', @{$lis $list{'highoff'} and wrn "macs: found disabled high-grade MACs " . join(',', @{$list{'highoff'}}); my @mykexs = split /,/, $h{kexalgorithms}[0]; -my %kexs = ( +my %kexs = ( "diffie-hellman-group1-sha1" => 1, "diffie-hellman-group14-sha1" => 1, "diffie-hellman-group-exchange-sha1" => 1, @@ -290,7 +290,7 @@ while (<$fh_myself>) { } close($fh_myself); my $decoded = decode_base64(join("\n", @xz)); -my $pid = open2(\*CHLD_OUT, \*CHLD_IN, 'unxz', '-c'); #TODO get rid of this call +my $pid = open2(\*CHLD_OUT, \*CHLD_IN, 'unxz', '-c'); #TODO get rid of this call print CHLD_IN $decoded; close(CHLD_IN); my $rawlist; diff --git a/bin/cron/osh-encrypt-rsync.pl b/bin/cron/osh-encrypt-rsync.pl index 63c8b5a..8d15934 100755 --- a/bin/cron/osh-encrypt-rsync.pl +++ b/bin/cron/osh-encrypt-rsync.pl @@ -95,7 +95,7 @@ sub test_config { my $gpgtest = GnuPG->new(trace => $config{'trace'}); # then, check we can encrypt to each of the recipients - my $outfile = File::Temp->new(UNLINK => 1, TMPDIR => 1); + my $outfile = File::Temp->new(UNLINK => 1, TMPDIR => 1); my $recipientparam = $isoldversion ? $recipient : [$recipient, $recipient]; $gpgtest->encrypt(plaintext => $input . "", output => $outfile . "", recipient => $recipientparam); if (not -s $outfile) { @@ -118,7 +118,7 @@ sub test_config { my $gpgtest = GnuPG->new(trace => $config{'trace'}); # then, encrypt to all the recipients, sign, and check the signature - my $outfile = File::Temp->new(UNLINK => 1, TMPDIR => 1); + my $outfile = File::Temp->new(UNLINK => 1, TMPDIR => 1); my $recipientparam = $isoldversion ? (keys %recipients_uniq)[0] : [keys %recipients_uniq]; $gpgtest->encrypt( plaintext => $input . "", diff --git a/bin/cron/osh-piv-grace-reaper.pl b/bin/cron/osh-piv-grace-reaper.pl index 87a3dba..82d6f75 100755 --- a/bin/cron/osh-piv-grace-reaper.pl +++ b/bin/cron/osh-piv-grace-reaper.pl @@ -52,7 +52,7 @@ foreach my $account (%{$fnret->value}) { # we have PIV grace set for this account my $expiry = $fnret->value; - my $human = OVH::Bastion::duration2human(seconds => ($expiry - time()))->value; + my $human = OVH::Bastion::duration2human(seconds => ($expiry - time()))->value; _log "Account $account has PIV grace expiry set to $expiry (" . $human->{'human'} . ")"; # is PIV grace TTL expired? diff --git a/bin/helper/osh-accountCreate b/bin/helper/osh-accountCreate index 730fa45..a0b2c9a 100755 --- a/bin/helper/osh-accountCreate +++ b/bin/helper/osh-accountCreate @@ -88,7 +88,7 @@ $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account alread if ($type eq 'realm') { $account = "realm_$account"; - $fnret = OVH::Bastion::is_account_valid(account => $account, accountType => "realm"); + $fnret = OVH::Bastion::is_account_valid(account => $account, accountType => "realm"); $fnret or HEXIT($fnret); $fnret = OVH::Bastion::is_account_existing(account => $account, accountType => "realm"); @@ -299,6 +299,7 @@ if (ref $config->{'accountCreateDefaultPersonalAccesses'} eq 'ARRAY' && $type eq push @command, '--action', 'add'; push @command, '--account', $account; push @command, '--ip', $ip; + if ($user) { push @command, '--user', ($user eq 'ACCOUNT' ? $account : $user); } diff --git a/bin/helper/osh-accountModify b/bin/helper/osh-accountModify index 8506d47..eb71ed8 100755 --- a/bin/helper/osh-accountModify +++ b/bin/helper/osh-accountModify @@ -39,7 +39,7 @@ eval { local $SIG{__WARN__} = sub { push @optwarns, shift }; $result = GetOptions( "account=s" => sub { $account //= $_[1] }, - "modify=s" => \@modify, + "modify=s" => \@modify, ); }; if ($@) { die $@ } diff --git a/bin/helper/osh-groupAddSymlinkToAccount b/bin/helper/osh-groupAddSymlinkToAccount index 9d5d6a2..5e1f7f6 100755 --- a/bin/helper/osh-groupAddSymlinkToAccount +++ b/bin/helper/osh-groupAddSymlinkToAccount @@ -103,7 +103,7 @@ osh_debug("user -gatek or gatek"); #>CODE my $msg; my $prefix = $remoteaccount ? "allowed_$remoteaccount" : "allowed"; -my $link = "/home/allowkeeper/$sysaccount/$prefix.ip.$shortGroup"; +my $link = "/home/allowkeeper/$sysaccount/$prefix.ip.$shortGroup"; if ($action eq 'del') { osh_debug("Going to remove symlink"); if (-l $link || -e _) { diff --git a/bin/helper/osh-groupCreate b/bin/helper/osh-groupCreate index 08384a7..7f85107 100755 --- a/bin/helper/osh-groupCreate +++ b/bin/helper/osh-groupCreate @@ -121,7 +121,7 @@ $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The account $group alread #>PARAMS:ALGO/SIZE if (!$no_key) { - $algo = lc($algo); + $algo = lc($algo); $fnret = OVH::Bastion::is_allowed_algo_and_size(algo => $algo, size => $size, way => 'egress'); $fnret or HEXIT($fnret); diff --git a/bin/plugin/open/groupList b/bin/plugin/open/groupList index b5fe34d..0626a75 100755 --- a/bin/plugin/open/groupList +++ b/bin/plugin/open/groupList @@ -31,11 +31,11 @@ $fnret or osh_exit $fnret; my $result_hash = {}; foreach my $name (sort keys %{$fnret->value}) { my @flags; - push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name); + push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name); push @flags, 'gatekeeper' if OVH::Bastion::is_group_gatekeeper(group => $name); - push @flags, 'aclkeeper' if OVH::Bastion::is_group_aclkeeper(group => $name); - push @flags, 'member' if OVH::Bastion::is_group_member(group => $name); - push @flags, 'guest' if OVH::Bastion::is_group_guest(group => $name); + push @flags, 'aclkeeper' if OVH::Bastion::is_group_aclkeeper(group => $name); + push @flags, 'member' if OVH::Bastion::is_group_member(group => $name); + push @flags, 'guest' if OVH::Bastion::is_group_guest(group => $name); if (@flags or $all) { push @flags, 'no-access' if not @flags; my $line = sprintf "%18s", $name; diff --git a/bin/plugin/open/selfAddIngressKey b/bin/plugin/open/selfAddIngressKey index 728e855..852e8bf 100755 --- a/bin/plugin/open/selfAddIngressKey +++ b/bin/plugin/open/selfAddIngressKey @@ -48,7 +48,7 @@ if (not defined $pubKey) { $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); $fnret or osh_exit $fnret; my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); + my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; if (grep { 'ed25519' eq $_ } @algoList) { osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one"; diff --git a/bin/plugin/open/selfDelIngressKey b/bin/plugin/open/selfDelIngressKey index 41d5b0a..58f2942 100755 --- a/bin/plugin/open/selfDelIngressKey +++ b/bin/plugin/open/selfDelIngressKey @@ -48,7 +48,7 @@ my @validKeys; foreach my $key (@{$fnret->value || []}) { OVH::Bastion::print_public_key(key => $key, id => $key->{'index'}, err => $key->{'err'}); - $allowedLines{$key->{'index'}} = 1; + $allowedLines{$key->{'index'}} = 1; $allowedFingerprints{$key->{'fingerprint'}} = $key->{'index'} if (OVH::Bastion::is_valid_fingerprint(fingerprint => $key->{'fingerprint'})); push @validKeys, $key->{'index'} if $key->{'err'} eq 'OK'; } diff --git a/bin/plugin/open/selfGenerateEgressKey b/bin/plugin/open/selfGenerateEgressKey index c0f3603..107aece 100755 --- a/bin/plugin/open/selfGenerateEgressKey +++ b/bin/plugin/open/selfGenerateEgressKey @@ -82,7 +82,7 @@ if (not $ok) { osh_exit 'ERR_INVALID_ALGORITHM', "Only the following list of algorithms is allowed: " . join(' ', @algoList); } -$size = 256 if (not $size and $algo eq 'ed25519'); +$size = 256 if (not $size and $algo eq 'ed25519'); $fnret = OVH::Bastion::is_allowed_algo_and_size(algo => $algo, size => $size, way => 'egress'); $fnret or osh_exit $fnret; diff --git a/bin/plugin/open/selfPlaySession b/bin/plugin/open/selfPlaySession index c147774..60fb222 100755 --- a/bin/plugin/open/selfPlaySession +++ b/bin/plugin/open/selfPlaySession @@ -63,13 +63,13 @@ else { $r->{params} = undef if ($r->{cmdtype} ne 'osh'); $r->{returnvalue} = $r->{comment} if $r->{returnvalue} < 0; -osh_info sprintf "%8s: %s\n", "ID", $r->{uniqid}; -osh_info sprintf "%8s: %s\n", "Started", POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestamp})); -osh_info sprintf "%8s: %s\n", "Ended", $r->{timestampend} ? POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestampend})) : 'n/a'; -osh_info sprintf "%8s: %s\n", "Duration", $delay; -osh_info sprintf "%8s: %s\n", "Type", $r->{'cmdtype'} . ($r->{'plugin'} ? '-' . $r->{'plugin'} : '') . ($r->{allowed} ? '' : '/DENIED'); -osh_info sprintf "%8s: %s:%s (%s)\n", "From", $r->{'ipfrom'}, $r->{'portfrom'}, $r->{'hostfrom'}; -osh_info sprintf "%8s: %s@%s:%s\n", "Via", $r->{'account'}, $r->{'bastionip'}, $r->{'bastionport'}; +osh_info sprintf "%8s: %s\n", "ID", $r->{uniqid}; +osh_info sprintf "%8s: %s\n", "Started", POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestamp})); +osh_info sprintf "%8s: %s\n", "Ended", $r->{timestampend} ? POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestampend})) : 'n/a'; +osh_info sprintf "%8s: %s\n", "Duration", $delay; +osh_info sprintf "%8s: %s\n", "Type", $r->{'cmdtype'} . ($r->{'plugin'} ? '-' . $r->{'plugin'} : '') . ($r->{allowed} ? '' : '/DENIED'); +osh_info sprintf "%8s: %s:%s (%s)\n", "From", $r->{'ipfrom'}, $r->{'portfrom'}, $r->{'hostfrom'}; +osh_info sprintf "%8s: %s@%s:%s\n", "Via", $r->{'account'}, $r->{'bastionip'}, $r->{'bastionport'}; if ($r->{user} || $r->{ipto} || $r->{portto} || $r->{hostto}) { osh_info sprintf "%8s: %s@%s:%s (%s)\n", "To", $r->{'user'}, $r->{'ipto'}, $r->{'portto'}, $r->{'hostto'}; } diff --git a/bin/plugin/restricted/accountCreate b/bin/plugin/restricted/accountCreate index f6a5132..ecceb41 100755 --- a/bin/plugin/restricted/accountCreate +++ b/bin/plugin/restricted/accountCreate @@ -91,7 +91,7 @@ if (!$pubKey && !$noKey) { $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); $fnret or osh_exit $fnret; my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); + my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; if (grep { 'ed25519' eq $_ } @algoList) { osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one"; diff --git a/bin/plugin/restricted/accountInfo b/bin/plugin/restricted/accountInfo index 60c6c58..c5759c9 100755 --- a/bin/plugin/restricted/accountInfo +++ b/bin/plugin/restricted/accountInfo @@ -179,7 +179,7 @@ if (OVH::Bastion::is_auditor(account => $self)) { $fnret = OVH::Bastion::account_config(account => $account, public => 1, key => OVH::Bastion::OPT_ACCOUNT_INGRESS_PIV_GRACE); if ($fnret && $fnret->value > time()) { my $expiry = $fnret->value - time(); - my $human = OVH::Bastion::duration2human(seconds => $expiry)->value; + my $human = OVH::Bastion::duration2human(seconds => $expiry)->value; osh_info "PIV grace period for this account is " . colored('set', 'green') . " and expires in " . $human->{'human'}; $ret{'ingress_piv_grace'} = { enabled => 1, diff --git a/bin/plugin/restricted/groupCreate b/bin/plugin/restricted/groupCreate index 5cc5c68..c023fc6 100755 --- a/bin/plugin/restricted/groupCreate +++ b/bin/plugin/restricted/groupCreate @@ -101,7 +101,7 @@ my $shortGroup = $fnret->value->{'shortGroup'}; # check if algo is supported by system if ($algo) { - $algo = lc($algo); + $algo = lc($algo); $fnret = OVH::Bastion::is_allowed_algo_and_size(algo => $algo, size => $size, way => 'egress'); $fnret or osh_exit $fnret; } diff --git a/bin/plugin/restricted/realmCreate b/bin/plugin/restricted/realmCreate index 217f2e5..40cf829 100755 --- a/bin/plugin/restricted/realmCreate +++ b/bin/plugin/restricted/realmCreate @@ -60,7 +60,7 @@ if (!$pubKey) { $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress'); $fnret or osh_exit $fnret; my @algoList = @{$fnret->value}; - my $algos = join(' ', @algoList); + my $algos = join(' ', @algoList); osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n"; if (grep { 'ed25519' eq $_ } @algoList) { osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one"; diff --git a/bin/plugin/restricted/realmDelete b/bin/plugin/restricted/realmDelete index 28651f1..92e3e7b 100755 --- a/bin/plugin/restricted/realmDelete +++ b/bin/plugin/restricted/realmDelete @@ -39,7 +39,7 @@ if (!$wantedRealm) { my $pristineRealm = $wantedRealm; $wantedRealm = "realm_$wantedRealm"; -$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $wantedRealm, accountType => "realm"); +$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $wantedRealm, accountType => "realm"); $fnret or osh_exit $fnret; $wantedRealm = $fnret->value->{'account'}; # untaint diff --git a/bin/proxy/osh-http-proxy-daemon b/bin/proxy/osh-http-proxy-daemon index 12b3664..cbaf986 100755 --- a/bin/proxy/osh-http-proxy-daemon +++ b/bin/proxy/osh-http-proxy-daemon @@ -82,7 +82,7 @@ OVH::Bastion::ProxyHTTP->new()->run( timeout_idle => 3600, proxy_config => { insecure => $config->{'insecure'} ? 1 : 0, - timeout => $config->{'timeout'}, # our worker will wait for up to this amount of time for the egress connection to complete + timeout => $config->{'timeout'}, # our worker will wait for up to this amount of time for the egress connection to complete }, ) or die "Proxy launch failed!"; diff --git a/bin/proxy/osh-http-proxy-worker b/bin/proxy/osh-http-proxy-worker index f956739..d84078a 100755 --- a/bin/proxy/osh-http-proxy-worker +++ b/bin/proxy/osh-http-proxy-worker @@ -287,13 +287,13 @@ $req->header('Accept-Encoding' => scalar HTTP::Message::decodable()); $req->header('Authorization', 'Basic ' . encode_base64($user . ':' . $device_password, '')); undef $device_password; # no longer needed -$req->header('X-Bastion-Auth-Mode', $authmode); -$req->header('X-Bastion-Ingress-Client-IP', $ENV{'REMOTE_ADDR'}); -$req->header('X-Bastion-Ingress-Client-Port', $ENV{'REMOTE_PORT'}); +$req->header('X-Bastion-Auth-Mode', $authmode); +$req->header('X-Bastion-Ingress-Client-IP', $ENV{'REMOTE_ADDR'}); +$req->header('X-Bastion-Ingress-Client-Port', $ENV{'REMOTE_PORT'}); $req->header('X-Bastion-Ingress-Client-User-Agent', $ENV{'HTTP_USER_AGENT'}); -$req->header('X-Bastion-Ingress-Account', $account); -$req->header('X-Bastion-UniqID', $uniqid); -$req->header('X-Bastion-Instance', Sys::Hostname::hostname()); +$req->header('X-Bastion-Ingress-Account', $account); +$req->header('X-Bastion-UniqID', $uniqid); +$req->header('X-Bastion-Instance', Sys::Hostname::hostname()); my $start_time = [Time::HiRes::gettimeofday()]; @@ -392,11 +392,11 @@ my @now = Time::HiRes::gettimeofday(); my @t = localtime($now[0]); my $headers_as_string = $res ? join("", $res->{'_headers'}->as_string("\n")) : ''; -my $logfile = sprintf("%s/%s.txt", $finaldir, POSIX::strftime("%F", @t)); -my $logline = sprintf( - "--- BASTION_REQUEST UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n". - "--- DEVICE_ANSWER UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n". - "--- END UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n\n", +my $logfile = sprintf("%s/%s.txt", $finaldir, POSIX::strftime("%F", @t)); +my $logline = sprintf( + "--- BASTION_REQUEST UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n" + . "--- DEVICE_ANSWER UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n%s\n" + . "--- END UNIQID=%s TIMESTAMP=%d.%06d DATE=%s ---\n\n", $uniqid, $now[0], $now[1], POSIX::strftime("%Y/%m/%d.%H:%M:%S", @t), $req->as_string(), $uniqid, $now[0], $now[1], POSIX::strftime("%Y/%m/%d.%H:%M:%S", @t), ($res ? sprintf("%s %s\n%s\n%s", $res->protocol, $res->status_line, $headers_as_string, $res->decoded_content) : '(DEVICE TIMEOUT)'), @@ -422,7 +422,7 @@ if ($res) { } } push @headers, ["X-Bastion-Local-Status" => ($res ? "200 OK" : "504 Device Timeout")]; -push @headers, ["X-Bastion-Remote-Status" => $res->code] if $res; +push @headers, ["X-Bastion-Remote-Status" => $res->code] if $res; push @headers, ["X-Bastion-Remote-Server" => $res->header('server')] if ($res && $res->header('server')); push @headers, ["X-Bastion-Egress-Timing" => sprintf("%d", $delay * 1_000_000)]; push @headers, ["X-Bastion-Downgraded" => 1] if $downgraded; diff --git a/bin/shell/osh.pl b/bin/shell/osh.pl index bd5e15f..57c89fe 100755 --- a/bin/shell/osh.pl +++ b/bin/shell/osh.pl @@ -111,7 +111,7 @@ my $osh_debug = $config->{'debug'}; # and the real remote account name (which doesn't have an account here because it's from another realm) # is passed through LC_BASTION if ($self =~ /^realm_([a-zA-Z0-9_.-]+)/) { - $self = sprintf("%s/%s", $1, $ENV{'LC_BASTION'}); + $self = sprintf("%s/%s", $1, $ENV{'LC_BASTION'}); $fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $self, realmOnly => 1); $fnret or main_exit(OVH::Bastion::EXIT_ACCOUNT_INVALID, "account_invalid", "The realm-scoped account '$self' is invalid (" . $fnret->msg . ")"); } @@ -203,7 +203,7 @@ my $lastlog_filepath = $fnret->value->{'filepath'}; my $lastlogmsg = sprintf("Welcome to $bastionName, $self, this is your first connection"); if ($fnret && $fnret->value && $fnret->value->{'seconds'}) { my $lastloginfo = $fnret->value->{'info'} ? " from " . $fnret->value->{'info'} : ""; - $fnret = OVH::Bastion::duration2human(seconds => $fnret->value->{'seconds'}, tense => "past"); + $fnret = OVH::Bastion::duration2human(seconds => $fnret->value->{'seconds'}, tense => "past"); $lastlogmsg = sprintf("Welcome to $bastionName, $self, your last login was %s ago (%s)%s", $fnret->value->{'duration'}, $fnret->value->{'date'}, $lastloginfo); } @@ -644,6 +644,7 @@ my $isMfaPasswordRequired = OVH::Bastion::is_user_in_group(account => $sysself my $hasMfaPasswordBypass = OVH::Bastion::is_user_in_group(account => $sysself, group => OVH::Bastion::MFA_PASSWORD_BYPASS_GROUP); my $isMfaTOTPRequired = OVH::Bastion::is_user_in_group(account => $sysself, group => OVH::Bastion::MFA_TOTP_REQUIRED_GROUP); my $hasMfaTOTPBypass = OVH::Bastion::is_user_in_group(account => $sysself, group => OVH::Bastion::MFA_TOTP_BYPASS_GROUP); + if ($mfaPolicy ne 'disabled' && !grep { $osh_command eq $_ } qw{ selfMFASetupPassword selfMFASetupTOTP help info }) { if (($mfaPolicy eq 'password-required' && !$hasMfaPasswordBypass) || $isMfaPasswordRequired) { diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index d9d98c1..5c0a1fa 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -178,7 +178,7 @@ sub is_account_nonexpired { my $isFirstLogin; my $lastlog; my $filepath = "/home/$sysaccount/lastlog" . ($remoteaccount ? "_$remoteaccount" : ""); - my $value = {filepath => $filepath}; + my $value = {filepath => $filepath}; if (-e $filepath) { $isFirstLogin = 0; $lastlog = (stat(_))[9]; @@ -230,7 +230,7 @@ sub is_account_nonexpired { if ($accountMaxInactiveDays == 0) { # no expiration configured, allow login and return some info - return R('OK_FIRST_LOGIN', value => $value) if $isFirstLogin; + return R('OK_FIRST_LOGIN', value => $value) if $isFirstLogin; return R('OK_EXPIRATION_NOT_CONFIGURED', value => $value); } else { @@ -360,8 +360,8 @@ sub osh_header { my $versionline = 'the-bastion-' . $VERSION; my $output = ''; $output .= colored('---' . $hostname . '-' x (80 - length($hostname) - length($versionline) - 6) . "$versionline---" . "\n", 'bold blue'); - $output .= colored("=> $text\n", "blue"); - $output .= colored('-' x 80 . "\n", 'blue'); + $output .= colored("=> $text\n", "blue"); + $output .= colored('-' x 80 . "\n", 'blue'); print $output unless ($ENV{'PLUGIN_QUIET'}); return; @@ -857,10 +857,10 @@ sub build_ttyrec_cmdline { my $bastionName = OVH::Bastion::config('bastionName')->value; my $ttyrecFilenameFormat = OVH::Bastion::config('ttyrecFilenameFormat')->value; $ttyrecFilenameFormat =~ s/&bastionname/$bastionName/g; - $ttyrecFilenameFormat =~ s/&uniqid/$params{'uniqid'}/g if $params{'uniqid'}; - $ttyrecFilenameFormat =~ s/&ip/$params{'ip'}/g if $params{'ip'}; - $ttyrecFilenameFormat =~ s/&port/$params{'port'}/g if $params{'port'}; - $ttyrecFilenameFormat =~ s/&user/$params{'user'}/g if $params{'user'}; + $ttyrecFilenameFormat =~ s/&uniqid/$params{'uniqid'}/g if $params{'uniqid'}; + $ttyrecFilenameFormat =~ s/&ip/$params{'ip'}/g if $params{'ip'}; + $ttyrecFilenameFormat =~ s/&port/$params{'port'}/g if $params{'port'}; + $ttyrecFilenameFormat =~ s/&user/$params{'user'}/g if $params{'user'}; $ttyrecFilenameFormat =~ s/&account/$params{'account'}/g if $params{'account'}; if ($ttyrecFilenameFormat =~ /&(bastionname|uniqid|ip|port|user|account)/) { diff --git a/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm b/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm index 1f36258..43919a3 100644 --- a/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm +++ b/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm @@ -95,7 +95,7 @@ sub preconditions { my $neededright = 'unknown'; if (grep { $type eq $_ } qw{ owner gatekeeper aclkeeper }) { $neededright = "owner"; - $fnret = OVH::Bastion::is_group_owner(account => $self, group => $shortGroup, superowner => 1, sudo => $sudo); + $fnret = OVH::Bastion::is_group_owner(account => $self, group => $shortGroup, superowner => 1, sudo => $sudo); if (!$fnret) { osh_debug("user $self not an owner of $shortGroup"); return R('ERR_NOT_GROUP_OWNER', msg => "Sorry, you're not an owner of group $shortGroup, which is needed to change its $type list"); @@ -108,7 +108,7 @@ sub preconditions { } elsif (grep { $type eq $_ } qw{ member guest }) { $neededright = "gatekeeper"; - $fnret = OVH::Bastion::is_group_gatekeeper(account => $self, group => $shortGroup, superowner => 1, sudo => $sudo); + $fnret = OVH::Bastion::is_group_gatekeeper(account => $self, group => $shortGroup, superowner => 1, sudo => $sudo); if (!$fnret) { osh_debug("user $self not a gk of $shortGroup"); return R('ERR_NOT_GROUP_GATEKEEPER', msg => "Sorry, you're not a gatekeeper of group $shortGroup, which is needed to change its $type list"); @@ -171,6 +171,7 @@ sub act { push @command, '--action', $action; $fnret = OVH::Bastion::helper(cmd => \@command); $fnret or return $fnret; + if ($fnret->err eq 'OK_NO_CHANGE') { # make the error msg user friendly diff --git a/lib/perl/OVH/Bastion/ProxyHTTP.pm b/lib/perl/OVH/Bastion/ProxyHTTP.pm index e3cd85c..e61c5e6 100644 --- a/lib/perl/OVH/Bastion/ProxyHTTP.pm +++ b/lib/perl/OVH/Bastion/ProxyHTTP.pm @@ -117,7 +117,7 @@ sub log_and_exit { my $basedir = "/home/proxyhttp/ttyrec"; -d $basedir || mkdir $basedir; - my $srcip = 'src_' . ($ENV{'REMOTE_ADDR'} || '0.0.0.0'); + my $srcip = 'src_' . ($ENV{'REMOTE_ADDR'} || '0.0.0.0'); my $finaldir = "$basedir/$srcip"; -d $finaldir || mkdir $finaldir; @@ -174,7 +174,7 @@ sub configure_hook { ## no critic (RequireFinalReturn) $self->{'server'}{'log_function'} = sub { my ($level, $msg) = @_; warn_syslog("osh-http-proxy-daemon: level $level: $msg"); - } + } } # overrides parent func @@ -301,7 +301,7 @@ sub process_http_request { } my ($account, $user_expression, $remotemachine, $remoteport) = ($1, $2, $3, $5); ## no critic (ProhibitCaptureWithoutTest) undef $loginpart; # no longer needed - $remoteport = 443 if not defined $remoteport; + $remoteport = 443 if not defined $remoteport; $self->{'_log'}{'hostto'} = $remotemachine; $self->{'_log'}{'portto'} = $remoteport; @@ -399,7 +399,8 @@ sub process_http_request { push @cmd, "--group", $group if $group; push @cmd, "--timeout", $timeout if $timeout; push @cmd, "--allow-downgrade" if $allow_downgrade; - push @cmd, "--insecure" if ($self->{'proxy_config'}{'insecure'} && !$enforce_secure); + push @cmd, "--insecure" if ($self->{'proxy_config'}{'insecure'} && !$enforce_secure); + foreach my $key (qw{ accept content-type connection }) { push @cmd, "--header", $key . ':' . $req_headers->{$key} if (defined $req_headers->{$key}); } diff --git a/lib/perl/OVH/Bastion/allowdeny.inc b/lib/perl/OVH/Bastion/allowdeny.inc index 5937456..947796f 100644 --- a/lib/perl/OVH/Bastion/allowdeny.inc +++ b/lib/perl/OVH/Bastion/allowdeny.inc @@ -506,7 +506,7 @@ sub print_acls { my $addedDate = $entry->{'addedDate'} || '(unknown)'; $addedDate = substr($addedDate, 0, 10); my $forceKey = $entry->{'forceKey'} || '-'; - my $expiry = $entry->{'expiry'} ? (duration2human(seconds => ($entry->{'expiry'} - time()))->value->{'human'}) : '-'; + my $expiry = $entry->{'expiry'} ? (duration2human(seconds => ($entry->{'expiry'} - time()))->value->{'human'}) : '-'; # type => member ('full'), guest ('partial'), personal or legacy my $ipReverse = OVH::Bastion::ip2host($entry->{'ip'})->value if $reverse; @@ -726,11 +726,11 @@ sub is_access_granted { undef $fnret; my $mfaFnret; if ($access->{'type'} =~ /^group/ and $access->{'group'}) { - $fnret = OVH::Bastion::get_group_keys(group => $access->{'group'}, listOnly => $listOnly, noexec => $noexec, forceKey => $access->{'forceKey'}); + $fnret = OVH::Bastion::get_group_keys(group => $access->{'group'}, listOnly => $listOnly, noexec => $noexec, forceKey => $access->{'forceKey'}); $mfaFnret = OVH::Bastion::group_config(key => "mfa_required", group => $access->{'group'}); } elsif ($access->{'type'} =~ /^personal/) { - $fnret = OVH::Bastion::get_personal_account_keys(account => $sysaccount, listOnly => $listOnly, noexec => $noexec, forceKey => $access->{'forceKey'}); + $fnret = OVH::Bastion::get_personal_account_keys(account => $sysaccount, listOnly => $listOnly, noexec => $noexec, forceKey => $access->{'forceKey'}); $mfaFnret = OVH::Bastion::account_config(key => "personal_egress_mfa_required", account => $sysaccount); } else { diff --git a/lib/perl/OVH/Bastion/allowkeeper.inc b/lib/perl/OVH/Bastion/allowkeeper.inc index bdf962a..a4cd229 100644 --- a/lib/perl/OVH/Bastion/allowkeeper.inc +++ b/lib/perl/OVH/Bastion/allowkeeper.inc @@ -95,8 +95,8 @@ sub get_next_available_uid { last if not scalar(getpwuid($next)); $next--; } - return R('OK', value => $next) if not scalar(getpwuid($next)); - return R('ERR_UID_COLLISION', msg => "No available UID in the allowed range"); + return R('OK', value => $next) if not scalar(getpwuid($next)); + return R('ERR_UID_COLLISION', msg => "No available UID in the allowed range"); } sub is_bastion_account_valid_and_existing { diff --git a/lib/perl/OVH/Bastion/configuration.inc b/lib/perl/OVH/Bastion/configuration.inc index 4188ef3..fb29050 100644 --- a/lib/perl/OVH/Bastion/configuration.inc +++ b/lib/perl/OVH/Bastion/configuration.inc @@ -175,17 +175,17 @@ sub load_configuration { $C->{'interactiveModeTimeout'} = 15 if (not defined $C->{'interactiveModeTimeout'} or $C->{'interactiveModeTimeout'} !~ /^\d+$/); - $C->{'syslogFacility'} = 'local7' if (not defined $C->{'syslogFacility'} or $C->{'syslogFacility'} !~ /^\S+$/); + $C->{'syslogFacility'} = 'local7' if (not defined $C->{'syslogFacility'} or $C->{'syslogFacility'} !~ /^\S+$/); $C->{'syslogDescription'} = 'bastion' if (not defined $C->{'syslogDescription'} or $C->{'syslogDescription'} !~ /^\S+$/); $C->{'moshTimeoutNetwork'} = 86400 if (not defined $C->{'moshTimeoutNetwork'} or $C->{'moshTimeoutNetwork'} !~ /^\d+$/); - $C->{'moshTimeoutSignal'} = 30 if (not defined $C->{'moshTimeoutSignal'} or $C->{'moshTimeoutSignal'} !~ /^\d+$/); + $C->{'moshTimeoutSignal'} = 30 if (not defined $C->{'moshTimeoutSignal'} or $C->{'moshTimeoutSignal'} !~ /^\d+$/); $C->{'moshCommandLine'} = "" if (not defined $C->{'moshCommandLine'}); $C->{'ttyrecFilenameFormat'} = '%Y-%m-%d.%H-%M-%S.#usec#.&uniqid.ttyrec' if (not $C->{'ttyrecFilenameFormat'}); - $C->{'idleLockTimeout'} = 0 if (not defined $C->{'idleLockTimeout'} or $C->{'idleLockTimeout'} !~ /^\d+$/); - $C->{'idleKillTimeout'} = 0 if (not defined $C->{'idleKillTimeout'} or $C->{'idleKillTimeout'} !~ /^\d+$/); + $C->{'idleLockTimeout'} = 0 if (not defined $C->{'idleLockTimeout'} or $C->{'idleLockTimeout'} !~ /^\d+$/); + $C->{'idleKillTimeout'} = 0 if (not defined $C->{'idleKillTimeout'} or $C->{'idleKillTimeout'} !~ /^\d+$/); $C->{'warnBeforeLockSeconds'} = 0 if (not defined $C->{'warnBeforeLockSeconds'} or $C->{'warnBeforeLockSeconds'} !~ /^\d+$/); $C->{'warnBeforeKillSeconds'} = 0 if (not defined $C->{'warnBeforeKillSeconds'} or $C->{'warnBeforeKillSeconds'} !~ /^\d+$/); @@ -193,9 +193,9 @@ sub load_configuration { $C->{'accountMFAPolicy'} = 'enabled'; } $C->{'MFAPasswordInactiveDays'} = -1 if (!defined $C->{'MFAPasswordInactiveDays'} || $C->{'MFAPasswordInactiveDays'} !~ /^-\d+$/); - $C->{'MFAPasswordMinDays'} = 0 if (!defined $C->{'MFAPasswordMinDays'} || $C->{'MFAPasswordMinDays'} !~ /^-?\d+$/); - $C->{'MFAPasswordMaxDays'} = 90 if (!defined $C->{'MFAPasswordMaxDays'} || $C->{'MFAPasswordMaxDays'} !~ /^-?\d+$/); - $C->{'MFAPasswordWarnDays'} = 15 if (!defined $C->{'MFAPasswordWarnDays'} || $C->{'MFAPasswordWarnDays'} !~ /^-?\d+$/); + $C->{'MFAPasswordMinDays'} = 0 if (!defined $C->{'MFAPasswordMinDays'} || $C->{'MFAPasswordMinDays'} !~ /^-?\d+$/); + $C->{'MFAPasswordMaxDays'} = 90 if (!defined $C->{'MFAPasswordMaxDays'} || $C->{'MFAPasswordMaxDays'} !~ /^-?\d+$/); + $C->{'MFAPasswordWarnDays'} = 15 if (!defined $C->{'MFAPasswordWarnDays'} || $C->{'MFAPasswordWarnDays'} !~ /^-?\d+$/); # if kill timeout is lower than lock timeout, just unset lock timeout $C->{'idleLockTimeout'} = 0 if ($C->{'idleKillTimeout'} <= $C->{'idleLockTimeout'}); @@ -239,7 +239,7 @@ sub load_configuration { } $C->{'adminAccounts'} = [ grep { OVH::Bastion::is_bastion_account_valid_and_existing(account => $_) } - map { s/[^a-zA-Z0-9_-]//g; $_ } @{$C->{'adminAccounts'}} + map { s/[^a-zA-Z0-9_-]//g; $_ } @{$C->{'adminAccounts'}} ]; $C->{'documentationURL'} ||= "https://ovh.github.io/the-bastion/"; @@ -302,7 +302,7 @@ sub account_config { if (!-d $rootdir) { return R('ERR_DIRECTORY_NOT_FOUND', msg => "Home directory of $account ($rootdir) doesn't exist"); } - my $prefix = $remoteaccount ? "config_$remoteaccount" : "config"; + my $prefix = $remoteaccount ? "config_$remoteaccount" : "config"; my $filename = "$rootdir/$prefix.$key"; if ($delete) { @@ -480,7 +480,7 @@ sub json_load { my %params = @_; # Check params - my $file = $params{'file'}; + my $file = $params{'file'}; my $keywords = $params{'keywords'} || []; if (!$file) { diff --git a/lib/perl/OVH/Bastion/interactive.inc b/lib/perl/OVH/Bastion/interactive.inc index 83d7a78..870a855 100644 --- a/lib/perl/OVH/Bastion/interactive.inc +++ b/lib/perl/OVH/Bastion/interactive.inc @@ -182,7 +182,7 @@ EOM while (defined(my $line = $term->readline($prompt))) { alarm(0); # disable timeout $line =~ s/^\s+|\s+$//g; - next if (length($line) == 0); # ignore empty lines + next if (length($line) == 0); # ignore empty lines last if ($line eq 'exit' or $line eq 'quit' or $line eq 'q'); # break out of loop if asked $term->addhistory($line); diff --git a/lib/perl/OVH/Bastion/log.inc b/lib/perl/OVH/Bastion/log.inc index d7906f7..29774f4 100644 --- a/lib/perl/OVH/Bastion/log.inc +++ b/lib/perl/OVH/Bastion/log.inc @@ -358,7 +358,7 @@ sub log_access_insert { $params{'timestamp'} = $timestamp; $params{'timestampusec'} = $timestampusec; - my @localtime = localtime(time()); + my @localtime = localtime(time()); my $sqlfile_global = sprintf("/home/logkeeper/global-log-%04d.sqlite", $localtime[5] + 1900); my $sqlfile_account = sprintf("/home/%s/%s-log-%04d%02d.sqlite", $params{'loghome'}, $remoteaccount || $loghome, $localtime[5] + 1900, $localtime[4] + 1); diff --git a/lib/perl/OVH/Bastion/os.inc b/lib/perl/OVH/Bastion/os.inc index 338acc6..e7e959b 100644 --- a/lib/perl/OVH/Bastion/os.inc +++ b/lib/perl/OVH/Bastion/os.inc @@ -233,9 +233,9 @@ sub sys_addmembertogroup { } if (is_openbsd() || is_netbsd()) { - my $fnret = OVH::Bastion::execute(cmd => ["groups", $user], must_succeed => 1); + my $fnret = OVH::Bastion::execute(cmd => ["groups", $user], must_succeed => 1); my @stdout = @{$fnret->value->{'stdout'} || []}; - my @cur = split(/ /, $stdout[0]); + my @cur = split(/ /, $stdout[0]); return R('ERR_SYSTEM_LIMIT_REACHED') if @cur >= 16; } @@ -351,7 +351,7 @@ sub sys_changepassword { $stdin_str = "$user:$password"; } elsif (is_freebsd()) { - @cmd = ('pw', 'usermod', $user, '-h', '0'); + @cmd = ('pw', 'usermod', $user, '-h', '0'); $stdin_str = $password; } elsif (is_openbsd() || is_netbsd()) { @@ -391,7 +391,7 @@ sub sys_neutralizepassword { my $stdin_str; if (is_linux()) { - @cmd = ('chpasswd', '-e'); + @cmd = ('chpasswd', '-e'); $stdin_str = "$user:*"; } elsif (is_freebsd()) { @@ -492,7 +492,7 @@ sub sys_getpasswordinfo { } require POSIX; $ret{'date_changed_timestamp'} = 86400 * delete($ret{'epoch_changed_days'}) + 0; - $ret{'date_changed'} = $ret{'date_changed_timestamp'} ? POSIX::strftime("%Y-%m-%d", localtime($ret{'date_changed_timestamp'})) : undef; + $ret{'date_changed'} = $ret{'date_changed_timestamp'} ? POSIX::strftime("%Y-%m-%d", localtime($ret{'date_changed_timestamp'})) : undef; $ret{'min_days'} += 0; $ret{'max_days'} += 0; $ret{'max_days'} = -1 if $ret{'max_days'} >= 9999; @@ -500,7 +500,7 @@ sub sys_getpasswordinfo { $ret{'inactive_days'} = -1 if $ret{'inactive_days'} eq ''; $ret{'inactive_days'} += 0; $ret{'date_disabled_timestamp'} = 86400 * delete($ret{'epoch_disabled_days'}) + 0; - $ret{'date_disabled'} = $ret{'date_disabled_timestamp'} ? POSIX::strftime("%Y-%m-%d", localtime($ret{'date_disabled_timestamp'})) : undef; + $ret{'date_disabled'} = $ret{'date_disabled_timestamp'} ? POSIX::strftime("%Y-%m-%d", localtime($ret{'date_disabled_timestamp'})) : undef; return R('OK', value => \%ret); } @@ -553,7 +553,7 @@ sub sys_setfacl { } # apply the default ACL - @cmd = ('setfacl', '-d', '-m', join(',', @perms), $target); + @cmd = ('setfacl', '-d', '-m', join(',', @perms), $target); $fnret = OVH::Bastion::execute(cmd => \@cmd, must_succeed => 1, noisy_stderr => 1); $fnret or return R('ERR_SETFACL_FAILED_FREEBSD', msg => "Couldn't set the prerequisite default ACL"); } diff --git a/lib/perl/OVH/Bastion/password.inc b/lib/perl/OVH/Bastion/password.inc index c3887bd..d4ebc56 100644 --- a/lib/perl/OVH/Bastion/password.inc +++ b/lib/perl/OVH/Bastion/password.inc @@ -16,7 +16,7 @@ sub _get_key_from_password { my $salt = 'JPYWrLpoXcXFA46m9DUI5z02SqUd2baG'; my $iterations = 10_000; - my $hash = hmac_sha256($salt . pack('N', 0), $password); + my $hash = hmac_sha256($salt . pack('N', 0), $password); my $result = $hash; for my $iter (2 .. $iterations) { diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index 2a1aa48..3a3f217 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -91,7 +91,7 @@ sub get_authorized_keys_from_file { $key->{'info'} = $info if $info; if ($pivAttestationCertificate && $pivKeyCertificate) { $fnret = OVH::Bastion::verify_piv(key => $key->{'line'}, attestationCertificate => $pivAttestationCertificate, keyCertificate => $pivKeyCertificate); - $key->{'isPiv'} = ($fnret ? 1 : 0); + $key->{'isPiv'} = ($fnret ? 1 : 0); $key->{'pivInfo'} = $fnret->value if $fnret; } if ($includePivDisabled && $pivDisabled) { @@ -226,7 +226,7 @@ sub get_ssh_pub_key_info { # put that in a tempfile for ssh-keygen inspection if (not $noexec) { - my $fh = File::Temp->new(UNLINK => 1); + my $fh = File::Temp->new(UNLINK => 1); my $filename = $fh->filename; print {$fh} $typecode . " " . $base64; close($fh); @@ -388,7 +388,7 @@ sub get_from_for_user_key { # if we have a $key, modify it accordingly if ($key) { $key->{'prefix'} = $from; - $key->{'line'} = ($from ? $from . " " : "") . $key->{'typecode'} . " " . $key->{'base64'}; + $key->{'line'} = ($from ? $from . " " : "") . $key->{'typecode'} . " " . $key->{'base64'}; $key->{'line'} .= " " . $key->{'comment'} if $key->{'comment'}; $key->{'fromList'} = \@ipListVerified; } @@ -460,7 +460,7 @@ sub generate_ssh_key { $fnret->err eq 'OK' or return R('ERR_SSH_KEYGEN_FAILED', msg => "Error while generating group key (" . $fnret->msg . ")"); my %files = ( - $sshKeyName => ($group_readable ? 0440 : 0400), + $sshKeyName => ($group_readable ? 0440 : 0400), $sshKeyName . '.pub' => 0444, ); while (my ($file, $chmod) = each(%files)) { diff --git a/tests/functional/docker/tester_role.sh b/tests/functional/docker/tester_role.sh index 88d9a0c..2ecac5d 100755 --- a/tests/functional/docker/tester_role.sh +++ b/tests/functional/docker/tester_role.sh @@ -7,18 +7,6 @@ basedir=$(readlink -f "$(dirname "$0")"/../../..) # shellcheck source=lib/shell/colors.inc . "$basedir"/lib/shell/colors.inc - -if [ "$TEST_QUICK" = 0 ]; then - printf '%b>>> %b <<<%b\n' "$BOLD_CYAN" "SHELL CHECK" "$NOC" - "$(dirname "$0")"/../../../bin/dev/shell-check.sh || exit 254 - - printf '%b>>> %b <<<%b\n' "$BOLD_CYAN" "PERL CRITIC" "$NOC" - "$(dirname "$0")"/../../../bin/dev/perl-critic.sh || exit 254 - - printf '%b>>> %b <<<%b\n' "$BOLD_CYAN" "PERL TIDY" "$NOC" - "$(dirname "$0")"/../../../bin/dev/perl-tidy.sh test || exit 254 -fi - printf '%b>>> %b <<<%b\n' "$BOLD_CYAN" "SETTING UP KEYS" "$NOC" base64 -d <<< "$USER_PRIVKEY_B64" > /root/user.privkey chmod 400 /root/user.privkey