ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-09-20 15:05:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

chore: rename some vars for clarity

Browse source
This commit is contained in:
Stéphane Lesimple 2022-04-05 12:24:04 +00:00 committed by Stéphane Lesimple
parent e040afb074
commit 6fb528ccf1
3 changed files with 47 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bin/plugin/open/scp
View file

@ -131,7 +131,7 @@ $fnret = OVH::Bastion::is_access_granted(
ipfrom => $ENV{'OSH_IP_FROM'},
ip => $ip,
port => $port,
wantKeys => 1
details => 1
);
if (not $fnret) {
my $msg = "Sorry, but you don't seem to have access to $machine";
@ -156,7 +156,7 @@ $fnret = OVH::Bastion::is_access_granted(
ip => $ip,
port => $port,
exactUserMatch => 1,
wantKeys => 1
details => 1
);
if (not $fnret) {
my $msg = "Sorry, but even if you have ssh access to $machine, you still need to be granted specifically for scp";

47
bin/shell/osh.pl
View file

@ -1124,7 +1124,7 @@ else {
ipfrom => $ipfrom,
ip => $ip,
port => $port,
wantKeys => 1
details => 1
);
}
@ -1163,6 +1163,14 @@ if (!$fnret) {
}
# else, keep calm and carry on
my @accessList = @{$fnret->value || []};
if ($osh_debug) {
require Data::Dumper;
osh_debug("access list array:");
osh_debug(Data::Dumper::Dumper(\@accessList));
}
# build ttyrec command that'll prefix the real command
my $ttyrec_fnret = OVH::Bastion::build_ttyrec_cmdline(
ip => $ip,
@ -1195,52 +1203,51 @@ my $forcePasswordId = -1;
if ($userPasswordClue) {
# locate main password file
my $fnretpass = OVH::Bastion::get_passfile(
$fnret = OVH::Bastion::get_passfile(
hint => $userPasswordClue,
context => $userPasswordContext,
self => ($remoteself || $sysself),
tryLegacy => 1
);
if (!$fnretpass) {
main_exit OVH::Bastion::EXIT_PASSFILE_NOT_FOUND, "passfile-not-found", $fnretpass->msg;
if (!$fnret) {
main_exit OVH::Bastion::EXIT_PASSFILE_NOT_FOUND, "passfile-not-found", $fnret->msg;
}
$passwordFile = $fnretpass->value;
$passwordFile = $fnret->value;
# check if a specific password is forced
foreach my $grant (@{$fnret->value}) {
foreach my $access (@accessList) {
# only keep the grant matching the password clue and context AND with a forced password
if (
$grant->{'forcePassword'}
$access->{'forcePassword'}
&& (
($userPasswordContext eq 'self' && $grant->{'type'} eq 'personal')
($userPasswordContext eq 'self' && $access->{'type'} eq 'personal')
|| ( $userPasswordContext eq 'group'
&& $grant->{'type'} =~ /^group-(member|guest)$/
&& $grant->{'group'} eq $userPasswordClue)
&& $access->{'type'} =~ /^group-(member|guest)$/
&& $access->{'group'} eq $userPasswordClue)
)
)
{
# FIXME: force-password and force-key don't work yet for guest accesses, see #256
# fetch the hashes of the main password and all its fallbacks
my $fnrethashes;
if ($userPasswordContext eq 'self') {
$fnrethashes = OVH::Bastion::get_hashes_list(context => 'account', account => $userPasswordClue);
$fnret = OVH::Bastion::get_hashes_list(context => 'account', account => $userPasswordClue);
}
else {
$fnrethashes = OVH::Bastion::get_hashes_list(context => 'group', group => $userPasswordClue);
$fnret = OVH::Bastion::get_hashes_list(context => 'group', group => $userPasswordClue);
}
if (!$fnrethashes) {
main_exit(OVH::Bastion::EXIT_GET_HASH_FAILED, "get_hashes_list", $fnrethashes->msg);
if (!$fnret) {
main_exit(OVH::Bastion::EXIT_GET_HASH_FAILED, "get_hashes_list", $fnret->msg);
}
# is our forced password's hash one of them ?
for my $id (0 .. $#{$fnrethashes->value}) {
foreach my $hash (values(%{$fnrethashes->value->[$id]->{'hashes'}})) {
if ($grant->{'forcePassword'} eq $hash) {
for my $id (0 .. $#{$fnret->value}) {
foreach my $hash (values(%{$fnret->value->[$id]->{'hashes'}})) {
if ($access->{'forcePassword'} eq $hash) {
$forcePasswordId = $id;
print " forcing password with hash: " . $grant->{'forcePassword'} . "\n\n" unless $quiet;
print " forcing password with hash: " . $access->{'forcePassword'} . "\n\n" unless $quiet;
}
}
}
@ -1305,7 +1312,7 @@ else {
my @keysToTry;
print " will try the following accesses you have: \n" unless $quiet;
foreach my $access (@{$fnret->value || []}) {
foreach my $access (@accessList) {
foreach my $key (@{$access->{'sortedKeys'} || []}) {
my $keyinfo = $access->{'keys'}{$key};
my $type = $access->{'type'} . " of " . $access->{'group'};

11
lib/perl/OVH/Bastion/allowdeny.inc
View file

@ -682,7 +682,7 @@ sub is_access_granted {
my $listOnly = $params{'listOnly'}; # don't open the files, just return file names
my $noexec = $params{'noexec'}; # passed to is_valid_public_key
my $wantKeys = delete $params{'wantKeys'}; # if set, look for and return ssh keys along with allowed accesses
my $details = delete $params{'details'}; # if set, look for and return ssh keys + config data along with allowed accesses
delete $params{'way'}; # WE specify this parameter, not our caller
delete $params{'group'}; # WE specify this parameter, not our caller
@ -835,12 +835,12 @@ sub is_access_granted {
}
else {
# should not happen
osh_debug("is_access_granted: $account is in group $shortGroup but is neither member or guest !!?");
warn_syslog("is_access_granted: $account is in group $shortGroup but is neither member or guest !!?");
}
}
# 3/3 fill up keys if asked to
if ($wantKeys) {
# 3/3 fill up keys and other metadata info (mfa, idle lock/kill timeout) if asked to
if ($details) {
foreach my $access (@grants) {
undef $fnret;
my $mfaFnret;
@ -863,7 +863,8 @@ sub is_access_granted {
$mfaFnret = OVH::Bastion::account_config(key => "personal_egress_mfa_required", account => $sysaccount);
}
else {
; # unknown access type? no key!
# unknown access type? no key!
warn_syslog("Unknown access type '" . $access->{'type'} . "' found, ignoring");
}
if ($fnret) {