fix: allow ssh-as in connect.pl

2024-12-26 09:35:01 +08:00 · 2024-10-16 08:46:56 +00:00 · 2024-10-16 08:46:56 +00:00 · 8cafbc854c
commit 8cafbc854c
parent 36352d6dcc
2 changed files with 47 additions and 2 deletions
--- a/bin/shell/connect.pl
+++ b/bin/shell/connect.pl
@ -84,12 +84,26 @@ if (open(my $fh, '<', "/proc/" . getppid() . '/cmdline')) {
    }

    # clush plugin
-    elsif ($pargv[1] =~ m{^/opt/bastion/bin/plugin/(open|restricted)/clush$}) {
+    elsif ($pargv[1] =~ m{/bin/plugin/(open|restricted)/clush$}) {
        ;    # we're being called by the clush plugin, ok
    }

    # interactive mode: our parent is osh.pl
-    elsif ($pargv[0] eq 'perl' and $pargv[1] eq '/opt/bastion/bin/shell/osh.pl') {
+    elsif ($pargv[0] eq 'perl' and $pargv[1] =~ m{/bin/shell/osh\.pl$}) {
+        ;    # we're being called by the interactive mode of osh.pl, ok
+    }
+
+    # --ssh-as
+    elsif ( @pargv == 10
+        and $pargv[0] eq 'sudo'
+        and $pargv[1] eq '-n'
+        and $pargv[2] eq '-u'
+        and $pargv[4] eq '--'
+        and $pargv[5] eq '/usr/bin/env'
+        and $pargv[6] eq 'perl'
+        and $pargv[7] =~ m{/bin/shell/osh\.pl$}
+        and $pargv[8] eq '-c')
+    {
        ;    # we're being called by the interactive mode of osh.pl, ok
    }

--- a/tests/functional/tests.d/300-activeness.sh
+++ b/tests/functional/tests.d/300-activeness.sh
@ -40,6 +40,37 @@ testsuite_activeness()
    # for remaining tests, disable the feature
    configchg 's=^\\\\x22accountExternalValidationProgram\\\\x22.+=\\\\x22accountExternalValidationProgram\\\\x22:\\\\x22\\\\x22,='

+    # SSH-AS
+
+    grant accountAddPersonalAccess
+
+    # allow account1 to localhost, just so that ssh-as calls connect.pl (even if the connection doesn't make it through in the end)
+    success add_access_to_a1 $a0 --osh accountAddPersonalAccess --account $account2 --host 127.0.0.1 --user sshas --port 22
+
+    revoke accountAddPersonalAccess
+
+    # now, test ssh-as
+    run ssh_as_denied $a1 --ssh-as $account2 sshas@127.0.0.1
+    retvalshouldbe 106
+    json .error_code KO_SSHAS_DENIED
+
+    # set account1 as admin
+    success set_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-admin\""
+    configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22,\\\\x22'"$account1"'\\\\x22],='
+
+    # test ssh-as again
+    run ssh_as_allowed $a1 --ssh-as $account2 sshas@127.0.0.1
+    retvalshouldbe 255
+    contain "you'll now impersonate"
+    contain "Connecting..."
+    contain "Permission denied (publickey)"
+
+    # and finally remove admin grant
+    success del_a1_as_admin $r0 "\". $opt_remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-admin\""
+    configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22],='
+
+    # /SSH-AS
+
    grant accountDelete

    # delete account1