ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-11-09 14:51:01 +08:00
Code Issues Projects Releases Packages Wiki Activity
363 commits 5 branches 54 tags 7.7 MiB
Commit graph

95 commits

Author SHA1 Message Date
Stéphane Lesimple
b58388a3d9 feat: add --proactive-mfa and mfa/nofa interactive commands 
For bastions using JIT MFA, where MFA can be requested when
attempting to connect through specific groups, or when using
some commands, with respect to MFA being enforced at connection
time directly through the sshd authentication process, one can
now request MFA validation in advance, to workaround problems
in commands such as ``clush``  or ``batch``, and interactive mode.
 2021-09-21 12:06:40 +02:00
Stéphane Lesimple
f64cf79260 chore: rename an envvar for clarity 2021-09-21 12:06:40 +02:00
Stéphane Lesimple
db8f621abf doc: add help about the interactive builtin commands (#227) 2021-09-20 17:00:46 +02:00
Stéphane Lesimple
d3f443a532 release v3.05.00 2021-09-14 10:21:04 +02:00
Stéphane Lesimple
ef10d509fd enh: add max_inactive_days to account configuration (#230) 2021-09-06 14:52:46 +02:00
Stéphane Lesimple
873804dbbe enh: config reading: add rootonly option 2021-09-02 10:06:47 +02:00
Stéphane Lesimple
9b2aa996b3 enh: better use of account creation metadata 
Store account creation information in a JSON.
Display this information in `accountInfo` for auditors.
 2021-07-23 09:50:18 +02:00
Stéphane Lesimple
c0bebf23d4 fix: accountCreate --uid-auto: rare case where a free UID couldn't be found 
This happened when a free UID was found, along with a corresponding GID,
but the corresponding GID for the ttyrec group of the account was not
available. Now this is checked directly in get_next_available_uid()
 2021-07-19 11:53:18 +02:00
Stéphane Lesimple
858598d80b chore: add debug info in get_acls() 2021-07-15 18:27:42 +02:00
Stéphane Lesimple
f483b1540a enh: max account length is now 28 chars up from 18 2021-07-02 17:41:12 +02:00
Stéphane Lesimple
a447662cfd release v3.04.00 2021-07-02 17:31:47 +02:00
Stéphane Lesimple
01690e8111 bump to v3.03.99-rc2 2021-06-30 17:20:48 +02:00
Stéphane Lesimple
ecee68c8bc chore: fix spurious empty lines at end of generated rst files 2021-06-30 15:52:47 +02:00
Stéphane Lesimple
b942131092 fix: use local $_ before while(<>) loops 
This closes a range of bugs that can happen if a function using $_ implicitly
in a while is called in a grep {} or map {} which also uses $_
 2021-06-30 09:53:04 +02:00
Stéphane Lesimple
2193ee487d enh: replace 'allowUTF8' (introduced in rc1) by 'fanciness' 2021-06-30 09:53:04 +02:00
Stéphane Lesimple
d400ceeb9f doc: clush: document --user and --port 
Partly fixes #201
 2021-06-23 12:24:32 +02:00
Stéphane Lesimple
710b55d845 bump to v3.03.99-rc1 2021-06-03 17:01:10 +02:00
Stéphane Lesimple
2e9fe9288b enh: httpproxy: add options to fine-tune logging 
Added the `log_request_response` and `log_request_response_max_size`
options to osh-http-proxy.conf.

By default, requests are logged, including their body, up to a size
of 64K per request response. Before, there was no size limit to the
logged body response.
 2021-06-03 16:39:56 +02:00
Stéphane Lesimple
45cfb78b0b fix: httpproxy: allow more passthrough headers 
The following additional header is now allowed to come back from the remote server to the client:
* Content-Length

The following additional headers are now passed through to the remote server:
* Content-Length
* Content-Encoding
 2021-06-03 16:16:29 +02:00
Stéphane Lesimple
b364706f37 feat: httpproxy: add functional tests 2021-06-03 16:16:29 +02:00
Stéphane Lesimple
d6291f3ad4 feat: httpproxy: add and use execute_simple() for more performance 
Also handle errors better in hand_http_request()
 2021-06-03 16:16:29 +02:00
Stéphane Lesimple
4ad41712fd fix: interactive: use load_configuration_file() to handle comments in JSON files 2021-05-27 09:34:37 +02:00
Stéphane Lesimple
17a38ff960 fix: json_load(): remove dead code 2021-05-27 09:34:37 +02:00
Stéphane Lesimple
8cc990ad57 feat: add filtering options to several cmds,nicify print_acls() 
The commands selfListAccesses, accountListAccesses,
groupList, groupListServers, groupListGuestAccesses and
accountList now have options to filter their output through
pattern matching, with --include and --exclude.

The output from the commands using print_acls() is also more
human-friendly, with auto-adjusting column length, and empty
columns omitted.

Closes #60.
 2021-05-25 09:42:28 +02:00
Stéphane Lesimple
adb9d8c374 feat: add UTF-8 chars to output when supported and allowed 
To enhance the readability and visibility of important messages
(such as critical ones). This can be disabled with the `allowUTF8`
global option set to `false`. It's never enabled if the user locale
or their terminal don't seem to support it.
 2021-05-24 16:44:35 +02:00
Stéphane Lesimple
f3ce9dfb06 enh: clearer error message on non-existing group 2021-04-08 12:57:47 +02:00
Stéphane Lesimple
2a905aca96 release v3.03.01 2021-03-25 11:55:04 +01:00
Stéphane Lesimple
89e49ac8b7 fix: add a case to the ignored perl panic race condition 2021-03-01 09:30:30 +01:00
Stéphane Lesimple
b6c7503a73 release v3.03.00 2021-02-22 17:09:12 +01:00
Stéphane Lesimple
3764d652da enh: interactive: avoid a warn() when TERM is undef 2021-02-22 11:56:33 +01:00
Stéphane Lesimple
383f2a011c enh: guests: groupAddGuestAccess now supports setting a comment 
If no comment is set, the comment is inherited from the group ACL,
as seen in groupListServers.

selfAddPersonalAccess now also return details
about the added server in the returned JSON.

Closes #18
Closes #17
 2021-02-22 11:56:19 +01:00
Stéphane Lesimple
b480316386 fix: groupDelGuestAccess: deleting a guest access returned an error on TTL-forced groups 2021-02-22 11:56:19 +01:00
Stéphane Lesimple
ed77c1ef3e feat: transmit PIV enforcement status to remote realms 
Closes #33
 2021-02-18 16:05:02 +01:00
Stéphane Lesimple
2327c4dfa1 chore: remove useless '## no critic', perltidy 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
5eb5135d26 doc: update 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
488ec6382e enh: move unexpected-sudo messages from security to code-warning type 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
e760cf6142 feat: add groupGenerateEgressKey and groupDelEgressKey 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
fe58cf1d14 enh: egress ssh key: compute an ID so that keys can be pointed to and deleted 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
c88be2def1 enh: get_group_keys: return the keyhome to avoid hardcoding it on several places 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
02b76d301a fix: groupSetRole: pass sudo param to subfuncs to avoid a security warning 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
4624f71ea2 fix: execute: remove osh_warn on tainted params to avoid exposing arguments on coding error 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
3b37242317 chore: more readable version of sql statements 
Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-15 11:25:45 +01:00
Stéphane Lesimple
59187fcf4c fix: interactive: omit inactivity msg warning when set to 0 seconds 
Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-13 16:09:36 +01:00
Stéphane Lesimple
d430c602bf release v3.02.00 2021-02-02 15:02:51 +01:00
Stéphane Lesimple
a913c5aa8a bump to v3.01.99-rc4 2021-01-25 12:18:27 +01:00
Stéphane Lesimple
5d36e820ca fix: admins no longer inherited superowner powers 
Regression since rc1
 2021-01-25 12:18:04 +01:00
Stéphane Lesimple
3bb1db3a4d bump to v3.01.99-rc3 2021-01-21 15:57:11 +01:00
Stéphane Lesimple
fd97845c1c chore: update autoload list accordingly 2021-01-21 15:56:59 +01:00
Stéphane Lesimple
efe3710e4c feat: groupList/accountList: add --include --exclude 2021-01-21 15:56:59 +01:00
Stéphane Lesimple
80ade2ba4c fix: debian9: create_file_if_not_exists couldn't chgrp by filehanddle 2021-01-20 14:01:55 +01:00