mirror of
https://github.com/ovh/the-bastion.git
synced 2025-09-04 12:04:11 +08:00
update of --force-password: guest support, autocompletion, new tests, code cleanups
This commit is contained in:
Christophe Crochet
Stéphane Lesimple
parent
e4b132ed9a
commit
ff40617624
7 changed files with 54 additions and 38 deletions
|
|
@ -8,7 +8,10 @@
|
|||
"groupAddServer --group \\S+ --host \\S+ --port" , {"pr" : ["<PORT>"]},
|
||||
"groupAddServer --group \\S+ --host \\S+ --port(-any| \\d+)" , {"ac" : ["--user", "--user-any"]},
|
||||
"groupAddServer --group \\S+ --host \\S+ --port(-any| \\d+) --user" , {"pr" : ["<USER>"]},
|
||||
"groupAddServer --group \\S+ --host \\S+ --port(-any| \\d+) --user(-any| \\S+)" , {"pr" : ["<enter>", "--force"]}
|
||||
"groupAddServer --group \\S+ --host \\S+ --port(-any| \\d+) --user(-any| \\S+)" , {"ac" : ["<enter>", "--force-password", "--force"]},
|
||||
"groupAddServer --group \\S+ --host \\S+ --port(-any| \\d+) --user(-any| \\S+) --force-password" , {"pr" : ["<HASH>"]},
|
||||
"groupAddServer --group \\S+ --host \\S+ --port(-any| \\d+) --user(-any| \\S+) --force-password \\S+" , {"ac" : ["<enter>", "--force"]},
|
||||
"groupAddServer --group \\S+ --host \\S+ --port(-any| \\d+) --user(-any| \\S+) --force-password \\S+ --force" , {"pr" : ["<enter>"]}
|
||||
],
|
||||
"master_only": true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,17 +13,13 @@
|
|||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl" , {"pr" : ["<SECONDS>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+" , {"ac" : ["--force-key","--force-password","<enter>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-key" , {"pr" : ["<FINGERPRINT>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-key \\S+" , {"pr" : ["<enter>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-password" , {"pr" : ["<HASH>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-password \\S+" , {"pr" : ["<enter>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-(key|password) \\S+" , {"pr" : ["<enter>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-key" , {"pr" : ["<FINGERPRINT>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-key \\S+" , {"ac" : ["--ttl","<enter>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-key \\S+ --ttl" , {"pr" : ["<SECONDS>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-key \\S+ --ttl \\S+" , {"pr" : ["<enter>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-password" , {"pr" : ["<HASH>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-password \\S+" , {"ac" : ["--ttl","<enter>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-password \\S+ --ttl" , {"pr" : ["<SECONDS>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-password \\S+ --ttl \\S+" , {"pr" : ["<enter>"]}
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-(key|password) \\S+" , {"ac" : ["--ttl","<enter>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-(key|password) \\S+ --ttl" , {"pr" : ["<SECONDS>"]},
|
||||
"accountAddPersonalAccess --account \\S+ --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-(key|password) \\S+ --ttl \\S+" , {"pr" : ["<enter>"]}
|
||||
],
|
||||
"master_only": true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,17 +11,13 @@
|
|||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl" , {"pr" : ["<SECONDS>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+" , {"ac" : ["--force-key","--force-password","<enter>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-key" , {"pr" : ["<FINGERPRINT>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-key \\S+" , {"pr" : ["<enter>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-password" , {"pr" : ["<HASH>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-password \\S+" , {"pr" : ["<enter>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --ttl \\S+ --force-(key|password) \\S+" , {"pr" : ["<enter>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-key" , {"pr" : ["<FINGERPRINT>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-key \\S+" , {"ac" : ["--ttl","<enter>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-key \\S+ --ttl" , {"pr" : ["<SECONDS>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-key \\S+ --ttl \\S+" , {"pr" : ["<enter>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-password" , {"pr" : ["<HASH>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-password \\S+" , {"ac" : ["--ttl","<enter>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-password \\S+ --ttl" , {"pr" : ["<SECONDS>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-password \\S+ --ttl \\S+" , {"pr" : ["<enter>"]}
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-(key|password) \\S+" , {"ac" : ["--ttl","<enter>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-(key|password) \\S+ --ttl" , {"pr" : ["<SECONDS>"]},
|
||||
"selfAddPersonalAccess --host \\S+ --(port|user) \\S+ --(port|user) \\S+ --force-(key|password) \\S+ --ttl \\S+" , {"ac" : ["<enter>"]}
|
||||
],
|
||||
"master_only": true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1151,7 +1151,7 @@ if ($userPasswordClue) {
|
|||
if (
|
||||
$grant->{'forcePassword'}
|
||||
&& ( ($userPasswordContext eq 'self' && $grant->{'type'} eq 'personal')
|
||||
|| ($userPasswordContext eq 'group' && $grant->{'type'} eq 'group-member' && $grant->{'group'} eq $userPasswordClue))
|
||||
|| ($userPasswordContext eq 'group' && $grant->{'type'} =~ /^group-(member|guest)$/ && $grant->{'group'} eq $userPasswordClue))
|
||||
)
|
||||
{
|
||||
|
||||
|
|
|
|||
|
|
@ -786,14 +786,14 @@ sub is_access_granted {
|
|||
|
||||
# the guy must have a guest access but the group itself must also still have access
|
||||
if ($grantedGuest && $grantedGroup) {
|
||||
push @grants, {type => 'group-guest', group => $shortGroup, %{$grantedGuest->value}};
|
||||
push @grants, {type => 'group-guest', group => $shortGroup, %{$grantedGroup->value}};
|
||||
osh_debug("is_access_granted: adding grantedGuest to grants because is guest and group has access");
|
||||
}
|
||||
|
||||
# special legacy case; we also check if account has a legacy access for ip AND that the group ALSO has access to this ip
|
||||
if ($grantedLegacy && $grantedGroup) {
|
||||
osh_debug("is_access_granted: adding grantedLegacy to grants because legacy not null and group has access");
|
||||
push @grants, {type => 'group-guest-legacy', group => $shortGroup, %{$grantedLegacy->value}};
|
||||
push @grants, {type => 'group-guest-legacy', group => $shortGroup, %{$grantedGroup->value}};
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
|
|
|||
|
|
@ -161,14 +161,14 @@ sub is_valid_hash {
|
|||
if (not $hash) {
|
||||
return R('ERR_MISSING_PARAMETER', msg => "Missing parameter 'hash'");
|
||||
}
|
||||
elsif ($hash =~ /^\$1\$[a-zA-Z0-9]+\$[a-zA-Z0-9\.\/]+$/) {
|
||||
return R('OK', value => {type => 'md5crypt', hash => $hash});
|
||||
elsif ($hash =~ /^(\$1\$[a-zA-Z0-9]+\$[a-zA-Z0-9\.\/]+)$/) {
|
||||
return R('OK', value => {type => 'md5crypt', hash => $1});
|
||||
}
|
||||
elsif ($hash =~ /^\$5\$[a-zA-Z0-9]+\$[a-zA-Z0-9\.\/]+$/) {
|
||||
return R('OK', value => {type => 'sha256crypt', hash => $hash});
|
||||
elsif ($hash =~ /^(\$5\$[a-zA-Z0-9]+\$[a-zA-Z0-9\.\/]+)$/) {
|
||||
return R('OK', value => {type => 'sha256crypt', hash => $1});
|
||||
}
|
||||
elsif ($hash =~ /^\$6\$[a-zA-Z0-9]+\$[a-zA-Z0-9\.\/]+$/) {
|
||||
return R('OK', value => {type => 'sha512crypt', hash => $hash});
|
||||
elsif ($hash =~ /^(\$6\$[a-zA-Z0-9]+\$[a-zA-Z0-9\.\/]+)$/) {
|
||||
return R('OK', value => {type => 'sha512crypt', hash => $1});
|
||||
}
|
||||
return R('ERR_INVALID_PARAMETER',
|
||||
msg => 'Specified hash is invalid, examples of hashes: $1$Pl44$BEyG04AjjH0TRhLuhAs4A1 $5$8BzocSDA$Hu/FdA/KrFe9HFWvXL4F5csJFxV1HlrLt4c3AOac5N5');
|
||||
|
|
|
|||
|
|
@ -56,8 +56,8 @@ testsuite_selfaccesses_force_password()
|
|||
fi
|
||||
|
||||
|
||||
# the tests for personal and group access are almost the same
|
||||
for mode in personal group
|
||||
# the tests for personal/group/guest accesses are almost the same
|
||||
for mode in personal group-member group-guest
|
||||
do
|
||||
# create account1, it will be used to connect to account4
|
||||
grant accountCreate
|
||||
|
|
@ -65,7 +65,7 @@ testsuite_selfaccesses_force_password()
|
|||
json .error_code OK .command accountCreate
|
||||
revoke accountCreate
|
||||
|
||||
if test $mode = "personal"
|
||||
if [ $mode = "personal" ]
|
||||
then
|
||||
# in personal mode, we manipulate account1's own personal accesses to connect to account4
|
||||
target="--account ${account1}"
|
||||
|
|
@ -81,8 +81,8 @@ testsuite_selfaccesses_force_password()
|
|||
grant accountListPasswords
|
||||
grant accountAddPersonalAccess
|
||||
grant accountDelPersonalAccess
|
||||
else
|
||||
# in group mode, account1 is a member of group1 and we manipulate group1's accesses to connect to account4
|
||||
else # group-*
|
||||
# in group mode, account1 is a member/guest of group1 and we manipulate group1's accesses to connect to account4
|
||||
target="--group ${group1}"
|
||||
gen_pass_plugin="groupGeneratePassword"
|
||||
list_pass_plugin="groupListPasswords"
|
||||
|
|
@ -97,9 +97,24 @@ testsuite_selfaccesses_force_password()
|
|||
json .error_code OK .command groupCreate
|
||||
revoke groupCreate
|
||||
|
||||
# add account1 as member
|
||||
success g1_member_a1 $a0 --osh groupAddMember --group $group1 --account $account1
|
||||
json .error_code OK .command groupAddMember
|
||||
if [ $mode = "group-member" ]
|
||||
then
|
||||
# add account1 as member
|
||||
success g1_member_a1 $a0 --osh groupAddMember --group $group1 --account $account1
|
||||
json .error_code OK .command groupAddMember
|
||||
else # group-guest
|
||||
# add a temporary group server, so we can set the groupAddGuestAccess, the user/host/port are the same for all connections
|
||||
success g1_add_tmpserver $a0 --osh $add_access_plugin $target --host $remote_ip --user $account4 --port $remote_port
|
||||
json .error_code OK .command $add_access_plugin
|
||||
|
||||
# add account1 guest access
|
||||
success g1_guest_a1 $a0 --osh groupAddGuestAccess --group $group1 --account $account1 --host $remote_ip --user $account4 --port $remote_port
|
||||
json .error_code OK .command groupAddGuestAccess
|
||||
|
||||
# remove temporary server
|
||||
success g1_del_tmpserver $a0 --osh $del_access_plugin $target --host $remote_ip --user $account4 --port $remote_port
|
||||
json .error_code OK .command $del_access_plugin
|
||||
fi
|
||||
fi
|
||||
|
||||
# missing hash
|
||||
|
|
@ -121,8 +136,14 @@ testsuite_selfaccesses_force_password()
|
|||
|
||||
grant accountListAccesses
|
||||
success ${mode}_listaccess $a0 --osh accountListAccesses --account $account1
|
||||
contain "FORCED-PASSWORD"
|
||||
json .error_code OK .command accountListAccesses .value[0].acl[0].forcePassword $fake_hash
|
||||
json .error_code OK .command accountListAccesses
|
||||
if [ $mode = "group-guest" ]
|
||||
then
|
||||
nocontain "FORCED-PASSWORD" # guests don't see all accesses infos
|
||||
else
|
||||
contain "FORCED-PASSWORD"
|
||||
json .value[0].acl[0].forcePassword $fake_hash
|
||||
fi
|
||||
revoke accountListAccesses
|
||||
|
||||
success ${mode}_del_a4_fp_fake $a0 --osh $del_access_plugin $target --host $remote_ip --user $account4 --port $remote_port
|
||||
|
|
@ -144,8 +165,8 @@ testsuite_selfaccesses_force_password()
|
|||
# fetch checksums for a1|g1's second and third egress passwords
|
||||
success ${mode}_listpass $a0 --osh $list_pass_plugin $target
|
||||
json .error_code OK .command $list_pass_plugin
|
||||
password2_sha256=$(get_json | jq '.value[1].hashes.sha256crypt' | sed -e 's/"//g')
|
||||
password3_sha256=$(get_json | jq '.value[2].hashes.sha256crypt' | sed -e 's/"//g')
|
||||
password2_sha256=$(get_json | jq -r '.value[1].hashes.sha256crypt')
|
||||
password3_sha256=$(get_json | jq -r '.value[2].hashes.sha256crypt')
|
||||
|
||||
# account1 => account4 *without* force-password: success because the correct password is one of the fallbacks
|
||||
success ${mode}_add_a4_nofp $a0 --osh $add_access_plugin $target --host $remote_ip --user $account4 --port $remote_port
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue