feat: add admin-configurable lock/kill timeout per plugin

bin/shell/osh.pl

@@ -876,6 +876,16 @@ my %bastion_details = (
     },
 );
 
+# For either an SSH connection or a plugin,
+# we first compute the correct idle-kill-timeout and idle-lock-timeout value,
+# as these can be overridden for group accesses, see the help of groupModify command
+# for details on the algorithm's logic.
+# it can also be overridden on a per-plugin basis
+my %idleTimeout = (
+    kill => OVH::Bastion::config("idleKillTimeout")->value,
+    lock => OVH::Bastion::config("idleLockTimeout")->value,
+);
+
 #
 #   First case. We have an OSH command
 #
@@ -1028,6 +1038,14 @@ if ($osh_command) {
         }
         $ENV{'OSH_IP_FROM'} = $ipfrom;    # used in some plugins for is_access_granted()
 
+        # check if we have a plugin override for idle lock/kill timeouts
+        foreach my $timeoutType (qw{ idle kill }) {
+            $fnret = OVH::Bastion::plugin_config(plugin => $osh_command, key => "idle_${timeoutType}_timeout");
+            if ($fnret && defined $fnret->value) {
+                $idleTimeout{${timeoutType}} = $fnret->value;
+            }
+        }
+
         # build ttyrec command that'll prefix the real command
         $fnret = OVH::Bastion::build_ttyrec_cmdline(
             ip             => $osh_command,
@@ -1049,6 +1067,8 @@ if ($osh_command) {
                 plugin => $osh_command,
                 key    => "stealth_stderr"
             )->value ? 1 : 0,
+            idleLockTimeout => $idleTimeout{'lock'},
+            idleKillTimeout => $idleTimeout{'kill'},
         );
         main_exit(OVH::Bastion::EXIT_TTYREC_CMDLINE_FAILED, "ttyrec_failed", $fnret->msg) if !$fnret;
 
@@ -1282,16 +1302,7 @@ if ($telnet) {
 else {
     my @preferredAuths;
 
-    # we first compute the correct idle-kill-timeout and idle-lock-timeout value,
-    # as these can be overriden for group accesses, see the help of groupModify command
-    # for details on the algorithm's logic, it is also commented below.
-    # First, we init the vars with the global setting.
-    my %idleTimeout = (
-        kill => OVH::Bastion::config("idleKillTimeout")->value,
-        lock => OVH::Bastion::config("idleLockTimeout")->value,
-    );
-
-    # Then, gather all the timeouts overrides that may be defined for the matching groups
+    # Now gather all the timeouts overrides that may be defined for the matching groups
     my %idleTimeoutsOverride = (kill => [], lock => []);
     foreach my $access (@accessList) {
         next if ($access->{'type'} !~ /^group/);

lib/perl/OVH/Bastion.pm

@@ -1077,11 +1077,11 @@ sub build_ttyrec_cmdline {
     my $fnret  = build_ttyrec_cmdline_part1of2(%params);
     $fnret or return $fnret;
 
-    # for this simple version, use global timeout values
+    # for this simple version, use global timeout values if not specified in %params
     return build_ttyrec_cmdline_part2of2(
         input           => $fnret->value,
-        idleLockTimeout => OVH::Bastion::config("idleLockTimeout")->value,
-        idleKillTimeout => OVH::Bastion::config("idleKillTimeout")->value
+        idleLockTimeout => ($params{'idleLockTimeout'} // OVH::Bastion::config("idleLockTimeout")->value),
+        idleKillTimeout => ($params{'idleKillTimeout'} // OVH::Bastion::config("idleKillTimeout")->value)
     );
 }