mirror of
https://github.com/ovh/the-bastion.git
synced 2025-10-01 09:14:25 +08:00
Stéphane Lesimple
Stéphane Lesimple
parent
a0d361b8da
commit
84687256a8
7 changed files with 57 additions and 14 deletions
|
|
@ -19,7 +19,7 @@ use OVH::Bastion::Helper;
|
|||
# Fetch command options
|
||||
my $fnret;
|
||||
my ($result, @optwarns);
|
||||
my ($group, $user, $ip, $port, $action, $force, $forcePassword, $ttl, $comment);
|
||||
my ($group, $user, $ip, $port, $action, $force, $forcePassword, $forceKey, $ttl, $comment);
|
||||
eval {
|
||||
local $SIG{__WARN__} = sub { push @optwarns, shift };
|
||||
$result = GetOptions(
|
||||
|
|
@ -30,6 +30,7 @@ eval {
|
|||
"action=s" => sub { $action //= $_[1] },
|
||||
"force" => sub { $force //= $_[1] },
|
||||
"force-password=s" => sub { $forcePassword //= $_[1] },
|
||||
"force-key=s" => sub { $forceKey //= $_[1] },
|
||||
"ttl=i" => sub { $ttl //= $_[1] },
|
||||
"comment=s" => sub { $comment //= $_[1] },
|
||||
|
||||
|
|
@ -91,6 +92,7 @@ $fnret = OVH::Bastion::access_modify(
|
|||
user => $user,
|
||||
port => $port,
|
||||
forcePassword => $forcePassword,
|
||||
forceKey => $forceKey,
|
||||
ttl => $ttl,
|
||||
comment => $comment,
|
||||
);
|
||||
|
|
@ -105,6 +107,7 @@ if ($fnret->err eq 'OK') {
|
|||
user => $user,
|
||||
port => $port,
|
||||
forcePassword => $forcePassword,
|
||||
forceKey => $forceKey,
|
||||
ttl => $ttl,
|
||||
comment => $comment
|
||||
},
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
|
|||
"scpdown" => \my $scpDown,
|
||||
"sftp" => \my $sftp,
|
||||
"force" => \my $force, # for slashes, and/or for servers that are down (no connection test)
|
||||
"force-key" => \my $forceKey,
|
||||
"force-key=s" => \my $forceKey,
|
||||
"force-password=s" => \my $forcePassword,
|
||||
"ttl=s" => \my $ttl,
|
||||
"comment=s" => \my $comment,
|
||||
|
|
@ -89,6 +89,10 @@ if (defined $ttl) {
|
|||
$ttl = $fnret->value->{'seconds'};
|
||||
}
|
||||
|
||||
if ($forceKey && $forcePassword) {
|
||||
osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use --force-key and --force-password at the same time";
|
||||
}
|
||||
|
||||
if ($forceKey) {
|
||||
$fnret = OVH::Bastion::is_valid_fingerprint(fingerprint => $forceKey);
|
||||
$fnret or osh_exit $fnret;
|
||||
|
|
|
|||
|
|
@ -97,6 +97,10 @@ if ($forcePassword) {
|
|||
$forcePassword = $fnret->value->{'hash'};
|
||||
}
|
||||
|
||||
if ($forceKey && $forcePassword) {
|
||||
osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use --force-key and --force-password at the same time";
|
||||
}
|
||||
|
||||
osh_info "Can't verify whether $account\'s personal key has been installed to the remote server, "
|
||||
. "as you don't have access to their private keys, adding the access blindly";
|
||||
|
||||
|
|
|
|||
|
|
@ -85,6 +85,10 @@ if ($forcePassword) {
|
|||
$forcePassword = $fnret->value->{'hash'};
|
||||
}
|
||||
|
||||
if ($forceKey && $forcePassword) {
|
||||
osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use --force-key and --force-password at the same time";
|
||||
}
|
||||
|
||||
if (not $force) {
|
||||
$fnret = OVH::Bastion::ssh_test_access_way(
|
||||
account => $self,
|
||||
|
|
|
|||
|
|
@ -1367,16 +1367,18 @@ else {
|
|||
my @keysToTry;
|
||||
print " will try the following accesses you have: \n" unless $quiet;
|
||||
foreach my $access (@accessList) {
|
||||
# each access has a type and possibly several keys
|
||||
my $type = $access->{'type'} . " of " . $access->{'group'};
|
||||
if ($access->{'type'} =~ /^group/) {
|
||||
$type = colored($access->{'type'}, $access->{'type'} eq 'group-member' ? 'green' : 'yellow');
|
||||
$type .= " of " . colored($access->{'group'}, 'blue bold');
|
||||
}
|
||||
elsif ($access->{'type'} =~ /^personal/) {
|
||||
$type = colored($access->{'type'}, 'red') . ' access';
|
||||
}
|
||||
|
||||
foreach my $key (@{$access->{'sortedKeys'} || []}) {
|
||||
my $keyinfo = $access->{'keys'}{$key};
|
||||
my $type = $access->{'type'} . " of " . $access->{'group'};
|
||||
if ($access->{'type'} =~ /^group/) {
|
||||
$type = colored($access->{'type'}, $access->{'type'} eq 'group-member' ? 'green' : 'yellow');
|
||||
$type .= " of " . colored($access->{'group'}, 'blue bold');
|
||||
}
|
||||
elsif ($access->{'type'} =~ /^personal/) {
|
||||
$type = colored($access->{'type'}, 'red') . ' access';
|
||||
}
|
||||
my $keyinfo = $access->{'keys'}{$key};
|
||||
my $generated = strftime("[%Y/%m/%d]", localtime($keyinfo->{'mtime'}));
|
||||
|
||||
if ((not $useKey) || ($useKey eq $keyinfo->{'fingerprint'})) {
|
||||
|
|
@ -1399,6 +1401,11 @@ else {
|
|||
push @keysToTry, $keyinfo->{'fullpath'} if not(grep { $_ eq $keyinfo->{'fullpath'} } @keysToTry);
|
||||
}
|
||||
}
|
||||
if ($access->{'forceKey'} && @{$access->{'sortedKeys'} || []} == 0) {
|
||||
printf(" - %s but found no key matching the forced fingerprint in corresponding ACL %s\n",
|
||||
$type, colored('(SKIPPED)', 'bold red'))
|
||||
unless $quiet;
|
||||
}
|
||||
}
|
||||
if ($useKey and not @keysToTry) {
|
||||
print " >>> No key matched the fingerprint you gave me ($useKey), connection will fail!\n";
|
||||
|
|
|
|||
|
|
@ -882,8 +882,6 @@ sub is_access_granted {
|
|||
warn_syslog("Unknown access type '" . $access->{'type'} . "' found, ignoring");
|
||||
}
|
||||
if ($data{'keys'}) {
|
||||
|
||||
# TODO implement $access->{forceKey} check to include only the proper key
|
||||
$access->{'keys'} = $data{'keys'}->value->{'keys'};
|
||||
$access->{'sortedKeys'} = $data{'keys'}->value->{'sortedKeys'};
|
||||
$access->{'mfaRequired'} = $data{'mfa'}->value if $data{'mfa'};
|
||||
|
|
|
|||
|
|
@ -111,6 +111,7 @@ testsuite_groups()
|
|||
.value.public_key.family RSA
|
||||
EOS
|
||||
)
|
||||
key0fp=$(get_json | $jq .value.fingerprint)
|
||||
# new state: g1[a1(ow,gk,acl,member)]
|
||||
|
||||
# create g3 with a3 as owner to test key generation of a group a3 is not an owner of, without getting the early no-owner deny
|
||||
|
|
@ -134,9 +135,31 @@ EOS
|
|||
key1id=$(get_json | $jq .value.id)
|
||||
key1fp=$(get_json | $jq .value.fingerprint)
|
||||
|
||||
success a0_list_group_keys_g1 $a0 --osh groupInfo --group $group1
|
||||
success a1_list_group_keys_g1 $a1 --osh groupInfo --group $group1
|
||||
json .command groupInfo .error_code OK ".value.keys.\"$key1fp\".typecode" ssh-ed25519
|
||||
|
||||
# now that we have several keys, take the opportunity to test force-key
|
||||
|
||||
plgfail a1_add_access_force_key_and_pwd_g1 $a1 --osh groupAddServer --host 127.1.2.3 --user-any --port-any --force --force-password '$1$2$3456' --force-key "$key1fp" --group $group1
|
||||
.error_code ERR_CONFLICTING_PARAMETERS
|
||||
|
||||
success a1_add_access_force_key_g1 $a1 --osh groupAddServer --host 127.1.2.3 --user-any --port-any --force --force-key "$key1fp" --group $group1
|
||||
|
||||
success a1_list_servers_check_force_key_g1 $a1 --osh groupListServers --group $group1
|
||||
json '.value|.[]|select(.ip=="127.1.2.3")|.forceKey' "$key1fp"
|
||||
|
||||
# try to use the force key
|
||||
|
||||
run a1_connect_g1_with_forcekey $a1 forcedkey@127.1.2.3 -- false
|
||||
contain 'Connecting...'
|
||||
contain 'FORCED IN ACL'
|
||||
contain "$key1fp"
|
||||
nocontain "$key0fp"
|
||||
|
||||
success a1_remove_forcekey_acl_g1 $a1 --osh groupDelServer --host 127.1.2.3 --user-any --port-any --group $group1
|
||||
|
||||
# /force-key
|
||||
|
||||
run a0_del_key_g1 $a0 --osh groupDelEgressKey --group $group1 --id $key1id
|
||||
retvalshouldbe 106
|
||||
json .command null .error_code KO_RESTRICTED_COMMAND .value null
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue