mirror of
https://github.com/ovh/the-bastion.git
synced 2025-02-27 00:54:26 +08:00
chore: rename some vars for clarity
This commit is contained in:
Stéphane Lesimple
Stéphane Lesimple
parent
e040afb074
commit
6fb528ccf1
3 changed files with 47 additions and 39 deletions
|
|
@ -126,12 +126,12 @@ my $userToCheck = $1 eq 't' ? '!scpupload' : '!scpdownload'; ## no critic (Ca
|
|||
my %keys;
|
||||
osh_debug("Checking access 1/2 of $self to $machine...");
|
||||
$fnret = OVH::Bastion::is_access_granted(
|
||||
account => $self,
|
||||
user => $user,
|
||||
ipfrom => $ENV{'OSH_IP_FROM'},
|
||||
ip => $ip,
|
||||
port => $port,
|
||||
wantKeys => 1
|
||||
account => $self,
|
||||
user => $user,
|
||||
ipfrom => $ENV{'OSH_IP_FROM'},
|
||||
ip => $ip,
|
||||
port => $port,
|
||||
details => 1
|
||||
);
|
||||
if (not $fnret) {
|
||||
my $msg = "Sorry, but you don't seem to have access to $machine";
|
||||
|
|
@ -156,7 +156,7 @@ $fnret = OVH::Bastion::is_access_granted(
|
|||
ip => $ip,
|
||||
port => $port,
|
||||
exactUserMatch => 1,
|
||||
wantKeys => 1
|
||||
details => 1
|
||||
);
|
||||
if (not $fnret) {
|
||||
my $msg = "Sorry, but even if you have ssh access to $machine, you still need to be granted specifically for scp";
|
||||
|
|
|
|||
|
|
@ -1119,12 +1119,12 @@ if ($fnret and $fnret->value() =~ /yes/) {
|
|||
}
|
||||
else {
|
||||
$fnret = OVH::Bastion::is_access_granted(
|
||||
account => $self,
|
||||
user => $user,
|
||||
ipfrom => $ipfrom,
|
||||
ip => $ip,
|
||||
port => $port,
|
||||
wantKeys => 1
|
||||
account => $self,
|
||||
user => $user,
|
||||
ipfrom => $ipfrom,
|
||||
ip => $ip,
|
||||
port => $port,
|
||||
details => 1
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -1163,6 +1163,14 @@ if (!$fnret) {
|
|||
}
|
||||
|
||||
# else, keep calm and carry on
|
||||
my @accessList = @{$fnret->value || []};
|
||||
|
||||
if ($osh_debug) {
|
||||
require Data::Dumper;
|
||||
osh_debug("access list array:");
|
||||
osh_debug(Data::Dumper::Dumper(\@accessList));
|
||||
}
|
||||
|
||||
# build ttyrec command that'll prefix the real command
|
||||
my $ttyrec_fnret = OVH::Bastion::build_ttyrec_cmdline(
|
||||
ip => $ip,
|
||||
|
|
@ -1195,52 +1203,51 @@ my $forcePasswordId = -1;
|
|||
if ($userPasswordClue) {
|
||||
|
||||
# locate main password file
|
||||
my $fnretpass = OVH::Bastion::get_passfile(
|
||||
$fnret = OVH::Bastion::get_passfile(
|
||||
hint => $userPasswordClue,
|
||||
context => $userPasswordContext,
|
||||
self => ($remoteself || $sysself),
|
||||
tryLegacy => 1
|
||||
);
|
||||
if (!$fnretpass) {
|
||||
main_exit OVH::Bastion::EXIT_PASSFILE_NOT_FOUND, "passfile-not-found", $fnretpass->msg;
|
||||
if (!$fnret) {
|
||||
main_exit OVH::Bastion::EXIT_PASSFILE_NOT_FOUND, "passfile-not-found", $fnret->msg;
|
||||
}
|
||||
$passwordFile = $fnretpass->value;
|
||||
$passwordFile = $fnret->value;
|
||||
|
||||
# check if a specific password is forced
|
||||
foreach my $grant (@{$fnret->value}) {
|
||||
foreach my $access (@accessList) {
|
||||
|
||||
# only keep the grant matching the password clue and context AND with a forced password
|
||||
if (
|
||||
$grant->{'forcePassword'}
|
||||
$access->{'forcePassword'}
|
||||
&& (
|
||||
($userPasswordContext eq 'self' && $grant->{'type'} eq 'personal')
|
||||
($userPasswordContext eq 'self' && $access->{'type'} eq 'personal')
|
||||
|| ( $userPasswordContext eq 'group'
|
||||
&& $grant->{'type'} =~ /^group-(member|guest)$/
|
||||
&& $grant->{'group'} eq $userPasswordClue)
|
||||
&& $access->{'type'} =~ /^group-(member|guest)$/
|
||||
&& $access->{'group'} eq $userPasswordClue)
|
||||
)
|
||||
)
|
||||
{
|
||||
|
||||
# FIXME: force-password and force-key don't work yet for guest accesses, see #256
|
||||
# fetch the hashes of the main password and all its fallbacks
|
||||
my $fnrethashes;
|
||||
if ($userPasswordContext eq 'self') {
|
||||
$fnrethashes = OVH::Bastion::get_hashes_list(context => 'account', account => $userPasswordClue);
|
||||
$fnret = OVH::Bastion::get_hashes_list(context => 'account', account => $userPasswordClue);
|
||||
}
|
||||
else {
|
||||
$fnrethashes = OVH::Bastion::get_hashes_list(context => 'group', group => $userPasswordClue);
|
||||
$fnret = OVH::Bastion::get_hashes_list(context => 'group', group => $userPasswordClue);
|
||||
}
|
||||
|
||||
if (!$fnrethashes) {
|
||||
main_exit(OVH::Bastion::EXIT_GET_HASH_FAILED, "get_hashes_list", $fnrethashes->msg);
|
||||
if (!$fnret) {
|
||||
main_exit(OVH::Bastion::EXIT_GET_HASH_FAILED, "get_hashes_list", $fnret->msg);
|
||||
}
|
||||
|
||||
# is our forced password's hash one of them ?
|
||||
for my $id (0 .. $#{$fnrethashes->value}) {
|
||||
foreach my $hash (values(%{$fnrethashes->value->[$id]->{'hashes'}})) {
|
||||
if ($grant->{'forcePassword'} eq $hash) {
|
||||
for my $id (0 .. $#{$fnret->value}) {
|
||||
foreach my $hash (values(%{$fnret->value->[$id]->{'hashes'}})) {
|
||||
if ($access->{'forcePassword'} eq $hash) {
|
||||
$forcePasswordId = $id;
|
||||
print " forcing password with hash: " . $grant->{'forcePassword'} . "\n\n" unless $quiet;
|
||||
print " forcing password with hash: " . $access->{'forcePassword'} . "\n\n" unless $quiet;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1305,7 +1312,7 @@ else {
|
|||
|
||||
my @keysToTry;
|
||||
print " will try the following accesses you have: \n" unless $quiet;
|
||||
foreach my $access (@{$fnret->value || []}) {
|
||||
foreach my $access (@accessList) {
|
||||
foreach my $key (@{$access->{'sortedKeys'} || []}) {
|
||||
my $keyinfo = $access->{'keys'}{$key};
|
||||
my $type = $access->{'type'} . " of " . $access->{'group'};
|
||||
|
|
|
|||
|
|
@ -682,10 +682,10 @@ sub is_access_granted {
|
|||
my $listOnly = $params{'listOnly'}; # don't open the files, just return file names
|
||||
my $noexec = $params{'noexec'}; # passed to is_valid_public_key
|
||||
|
||||
my $wantKeys = delete $params{'wantKeys'}; # if set, look for and return ssh keys along with allowed accesses
|
||||
my $details = delete $params{'details'}; # if set, look for and return ssh keys + config data along with allowed accesses
|
||||
|
||||
delete $params{'way'}; # WE specify this parameter, not our caller
|
||||
delete $params{'group'}; # WE specify this parameter, not our caller
|
||||
delete $params{'way'}; # WE specify this parameter, not our caller
|
||||
delete $params{'group'}; # WE specify this parameter, not our caller
|
||||
|
||||
my @grants;
|
||||
my $fnret;
|
||||
|
|
@ -835,12 +835,12 @@ sub is_access_granted {
|
|||
}
|
||||
else {
|
||||
# should not happen
|
||||
osh_debug("is_access_granted: $account is in group $shortGroup but is neither member or guest !!?");
|
||||
warn_syslog("is_access_granted: $account is in group $shortGroup but is neither member or guest !!?");
|
||||
}
|
||||
}
|
||||
|
||||
# 3/3 fill up keys if asked to
|
||||
if ($wantKeys) {
|
||||
# 3/3 fill up keys and other metadata info (mfa, idle lock/kill timeout) if asked to
|
||||
if ($details) {
|
||||
foreach my $access (@grants) {
|
||||
undef $fnret;
|
||||
my $mfaFnret;
|
||||
|
|
@ -863,7 +863,8 @@ sub is_access_granted {
|
|||
$mfaFnret = OVH::Bastion::account_config(key => "personal_egress_mfa_required", account => $sysaccount);
|
||||
}
|
||||
else {
|
||||
; # unknown access type? no key!
|
||||
# unknown access type? no key!
|
||||
warn_syslog("Unknown access type '" . $access->{'type'} . "' found, ignoring");
|
||||
}
|
||||
if ($fnret) {
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue