ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-11 15:34:18 +08:00
Code Issues Projects Releases Packages Wiki Activity
333 commits 6 branches 53 tags 7.4 MiB
Commit graph

86 commits

Author SHA1 Message Date
Stéphane Lesimple
f483b1540a enh: max account length is now 28 chars up from 18 2021-07-02 17:41:12 +02:00
Stéphane Lesimple
a447662cfd release v3.04.00 2021-07-02 17:31:47 +02:00
Stéphane Lesimple
01690e8111 bump to v3.03.99-rc2 2021-06-30 17:20:48 +02:00
Stéphane Lesimple
ecee68c8bc chore: fix spurious empty lines at end of generated rst files 2021-06-30 15:52:47 +02:00
Stéphane Lesimple
b942131092 fix: use local $_ before while(<>) loops 
This closes a range of bugs that can happen if a function using $_ implicitly
in a while is called in a grep {} or map {} which also uses $_
 2021-06-30 09:53:04 +02:00
Stéphane Lesimple
2193ee487d enh: replace 'allowUTF8' (introduced in rc1) by 'fanciness' 2021-06-30 09:53:04 +02:00
Stéphane Lesimple
d400ceeb9f doc: clush: document --user and --port 
Partly fixes #201
 2021-06-23 12:24:32 +02:00
Stéphane Lesimple
710b55d845 bump to v3.03.99-rc1 2021-06-03 17:01:10 +02:00
Stéphane Lesimple
2e9fe9288b enh: httpproxy: add options to fine-tune logging 
Added the `log_request_response` and `log_request_response_max_size`
options to osh-http-proxy.conf.

By default, requests are logged, including their body, up to a size
of 64K per request response. Before, there was no size limit to the
logged body response.
 2021-06-03 16:39:56 +02:00
Stéphane Lesimple
45cfb78b0b fix: httpproxy: allow more passthrough headers 
The following additional header is now allowed to come back from the remote server to the client:
* Content-Length

The following additional headers are now passed through to the remote server:
* Content-Length
* Content-Encoding
 2021-06-03 16:16:29 +02:00
Stéphane Lesimple
b364706f37 feat: httpproxy: add functional tests 2021-06-03 16:16:29 +02:00
Stéphane Lesimple
d6291f3ad4 feat: httpproxy: add and use execute_simple() for more performance 
Also handle errors better in hand_http_request()
 2021-06-03 16:16:29 +02:00
Stéphane Lesimple
4ad41712fd fix: interactive: use load_configuration_file() to handle comments in JSON files 2021-05-27 09:34:37 +02:00
Stéphane Lesimple
17a38ff960 fix: json_load(): remove dead code 2021-05-27 09:34:37 +02:00
Stéphane Lesimple
8cc990ad57 feat: add filtering options to several cmds,nicify print_acls() 
The commands selfListAccesses, accountListAccesses,
groupList, groupListServers, groupListGuestAccesses and
accountList now have options to filter their output through
pattern matching, with --include and --exclude.

The output from the commands using print_acls() is also more
human-friendly, with auto-adjusting column length, and empty
columns omitted.

Closes #60.
 2021-05-25 09:42:28 +02:00
Stéphane Lesimple
adb9d8c374 feat: add UTF-8 chars to output when supported and allowed 
To enhance the readability and visibility of important messages
(such as critical ones). This can be disabled with the `allowUTF8`
global option set to `false`. It's never enabled if the user locale
or their terminal don't seem to support it.
 2021-05-24 16:44:35 +02:00
Stéphane Lesimple
f3ce9dfb06 enh: clearer error message on non-existing group 2021-04-08 12:57:47 +02:00
Stéphane Lesimple
2a905aca96 release v3.03.01 2021-03-25 11:55:04 +01:00
Stéphane Lesimple
89e49ac8b7 fix: add a case to the ignored perl panic race condition 2021-03-01 09:30:30 +01:00
Stéphane Lesimple
b6c7503a73 release v3.03.00 2021-02-22 17:09:12 +01:00
Stéphane Lesimple
3764d652da enh: interactive: avoid a warn() when TERM is undef 2021-02-22 11:56:33 +01:00
Stéphane Lesimple
383f2a011c enh: guests: groupAddGuestAccess now supports setting a comment 
If no comment is set, the comment is inherited from the group ACL,
as seen in groupListServers.

selfAddPersonalAccess now also return details
about the added server in the returned JSON.

Closes #18
Closes #17
 2021-02-22 11:56:19 +01:00
Stéphane Lesimple
b480316386 fix: groupDelGuestAccess: deleting a guest access returned an error on TTL-forced groups 2021-02-22 11:56:19 +01:00
Stéphane Lesimple
ed77c1ef3e feat: transmit PIV enforcement status to remote realms 
Closes #33
 2021-02-18 16:05:02 +01:00
Stéphane Lesimple
2327c4dfa1 chore: remove useless '## no critic', perltidy 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
5eb5135d26 doc: update 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
488ec6382e enh: move unexpected-sudo messages from security to code-warning type 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
e760cf6142 feat: add groupGenerateEgressKey and groupDelEgressKey 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
fe58cf1d14 enh: egress ssh key: compute an ID so that keys can be pointed to and deleted 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
c88be2def1 enh: get_group_keys: return the keyhome to avoid hardcoding it on several places 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
02b76d301a fix: groupSetRole: pass sudo param to subfuncs to avoid a security warning 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
4624f71ea2 fix: execute: remove osh_warn on tainted params to avoid exposing arguments on coding error 2021-02-17 10:03:40 +01:00
Stéphane Lesimple
3b37242317 chore: more readable version of sql statements 
Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-15 11:25:45 +01:00
Stéphane Lesimple
59187fcf4c fix: interactive: omit inactivity msg warning when set to 0 seconds 
Signed-off-by: Stéphane Lesimple <stephane.lesimple+bastion@ovhcloud.com>
 2021-02-13 16:09:36 +01:00
Stéphane Lesimple
d430c602bf release v3.02.00 2021-02-02 15:02:51 +01:00
Stéphane Lesimple
a913c5aa8a bump to v3.01.99-rc4 2021-01-25 12:18:27 +01:00
Stéphane Lesimple
5d36e820ca fix: admins no longer inherited superowner powers 
Regression since rc1
 2021-01-25 12:18:04 +01:00
Stéphane Lesimple
3bb1db3a4d bump to v3.01.99-rc3 2021-01-21 15:57:11 +01:00
Stéphane Lesimple
fd97845c1c chore: update autoload list accordingly 2021-01-21 15:56:59 +01:00
Stéphane Lesimple
efe3710e4c feat: groupList/accountList: add --include --exclude 2021-01-21 15:56:59 +01:00
Stéphane Lesimple
80ade2ba4c fix: debian9: create_file_if_not_exists couldn't chgrp by filehanddle 2021-01-20 14:01:55 +01:00
Stéphane Lesimple
69778815bb enh: groupList: use cache to speedup calls 
On bastions with thousands of group, the speedup is ~x10
 2021-01-20 14:01:55 +01:00
Stéphane Lesimple
928bf0c7b0 enh: config: detect warnBefore/idleTimeout misconfiguration 
Before, an inconsistency in the configuration settings of the warnBefore(Lock|Kill)Seconds
and idle(Lock|Kill)Timeout could break any new connection (ttyrec refuses to launch).

Now we detect this case properly, and fallback to a sane setting for
warnBefore(Lock|Kill)Seconds (zero) if those were set without enabling the corresponding
idle(Lock|Kill)Timeout setting. We also log an error to syslog when it happens,
so that the sysadmin can fix their configuration.

Added hints about how these configuration options work together in the bastion.conf.dist file.

Fixes #125
 2021-01-19 12:26:09 +01:00
Stéphane Lesimple
8d0004f8aa fix: config: be more permissive for documentationURL regex 2021-01-15 16:13:11 +01:00
Stéphane Lesimple
36d0c709db bump to v3.01.99-rc2 2021-01-13 09:38:02 +01:00
Stéphane Lesimple
c6446495aa fix: logs: sql dbname was not properly passed through the update logs func 2021-01-13 09:38:02 +01:00
Stéphane Lesimple
1378ba84f5 fix: re-introduce the ttyrecfile field 
This field was mistakenly removed along with the ttyrecsize one
by mistake in a479810d83.

Add tests to ensure this can't break again.
 2021-01-13 09:38:02 +01:00
Stéphane Lesimple
27d09e8cbe bump to v3.01.99-rc1 2021-01-12 12:05:41 +01:00
Stéphane Lesimple
1129850771 fix: global-log: directly set proper perms on file creation 2021-01-12 12:05:20 +01:00
Stéphane Lesimple
1676979913 feat: add PIV keys support and policy enforcement 
A new global option 'ingressRequirePIV' was added, to enable or disable a
bastion-wide policy forcing everybody to use only PIV keys.
 2021-01-12 12:05:06 +01:00