ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-11 07:24:14 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/bin/plugin/open/scp
Stéphane Lesimple f4abfc1ba8 feat: add sftp support
2023-03-16 13:45:42 +01:00

239 lines
8 KiB
Perl
Executable file
Raw Blame History

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use MIME::Base64;
use IO::Compress::Gzip qw{ gzip };
use Sys::Hostname ();
use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT );
# stdout is used by scp, so ensure we output everything through stderr
local $ENV{'FORCE_STDERR'} = 1;
# don't output fancy stuff, this can get digested by scp and we get garbage output
local $ENV{'PLUGIN_QUIET'} = 1;
my ($scpCmd);
my $remainingOptions = OVH::Bastion::Plugin::begin(
argv => \@ARGV,
header => undef,
options => {'scp-cmd=s' => \$scpCmd},
help => \&help,
);
sub help {
delete $ENV{'FORCE_STDERR'};
delete $ENV{'PLUGIN_QUIET'};
osh_header("scp");
my $bastionCommand = OVH::Bastion::config('bastionCommand')->value;
my $bastionName = OVH::Bastion::config('bastionName')->value;
$bastionCommand =~ s/USER|ACCOUNT/$self/g;
$bastionCommand =~ s/CACHENAME|BASTIONNAME/$bastionName/g;
my $hostname = Sys::Hostname::hostname();
$bastionCommand =~ s/HOSTNAME/$hostname/g;
# for scp, if the bastionCommand contains -t, we need to get rid of it
$bastionCommand =~ s/ -t( |$)/$1/;
# same thing for --
$bastionCommand =~ s/ --/ /;
my $script = <<'EOF';
#! /bin/sh
[ "$BASTION_SCP_DEBUG" ] && echo "scpwrapper: args: $*" >&2
while ! [ "$1" = "--" ] ; do
if [ "$1" = "-l" ] ; then
remoteuser="--user $2"
shift 2
elif [ "$1" = "-p" ] ; then
remoteport="--port $2"
shift 2
else
sshcmdline="$sshcmdline $1"
shift
fi
done
host="$2"
scpcmd=`echo "$3" | sed -e 's/#/##/g;s/ /#/g'`
[ "$BASTION_SCP_DEBUG" ] && echo "scpwrapper: exec #BASTIONCMD# -T $sshcmdline $BASTION_SCP_EXTRA_ARGS -- $remoteuser $remoteport --host $host --osh scp --scp-cmd \"$scpcmd\"" >&2
exec #BASTIONCMD# -T $sshcmdline $BASTION_SCP_EXTRA_ARGS -- $remoteuser $remoteport --host $host --osh scp --scp-cmd "$scpcmd"
EOF
$script =~ s{#BASTIONCMD#}{$bastionCommand}g;
my $compressed = '';
gzip \$script => \$compressed;
my $base64 = encode_base64($compressed);
chomp $base64;
osh_info <<"EOF";
Description:
Transfers files to/from a host through the bastion
Usage:
To use scp through the bastion, you need a helper script to use with
your scp client. It'll be specific to your account, don't share it with
others! To download your customized script, copy/paste this command:
EOF
print "\necho \"$base64\"|base64 -d|gunzip -c > ~/scp_$bastionName && chmod +x ~/scp_$bastionName\n\n";
osh_info <<"EOF";
To use scp through this bastion, add `-S ~/scp_$bastionName` to your regular scp command.
For example, to upload a file:
\$ scp -S ~/scp_$bastionName localfile login\@server:/dest/folder/
Or to recursively download a folder contents:
\$ scp -S ~/scp_$bastionName -r login\@server:/src/folder/ /tmp/
The following environment variables modify the behavior of the script:
- `BASTION_SCP_DEBUG`: if set to 1, debug info is printed on the console
- `BASTION_SCP_EXTRA_ARGS`: if set, the contents of this variable is added
to the resulting ssh command called by the script
For example:
\$ BASTION_SCP_DEBUG=1 BASTION_SCP_EXTRA_ARGS="-v" scp -S ~/scp_$bastionName file1 login\@srv:/tmp
Please note that you need to be granted for uploading or downloading files
with scp to/from the remote host, in addition to having the right to SSH to it.
For a group, the right should be added with --scpup/--scpdown of the groupAddServer command.
For a personal access, the right should be added with --scpup/--scpdown of the selfAddPersonalAccess command.
EOF
osh_ok({script => $base64, "content-encoding" => 'base64-gzip'});
return 0;
}
#
# code
#
my $fnret;
if (not $host) {
help();
osh_exit;
}
if (not $ip) {
# note that the calling-side scp will not passthrough this exit code, but most probably "1" instead.
osh_exit 'ERR_HOST_NOT_FOUND', "Sorry, couldn't resolve the host you specified ('$host'), aborting.";
}
my $machine = $ip;
$machine = "$user\@$ip" if $user;
$port ||= 22; # scp uses 22 if not specified, so we need to test access to that port and not any port (aka undef)
$user ||= $self; # same for user
$machine .= ":$port";
# decode the passed scp command
my $decoded = $scpCmd;
$decoded =~ s/(?<!#)#(?!#)/ /g;
$decoded =~ s/##/#/g;
if ($decoded !~ /^(?:scp )(?:.*)-([tf]) (?:.+)$/) {
# security
osh_exit 'ERR_SECURITY_VIOLATION', "scp command format unrecognized";
}
my $userToCheck = $1 eq 't' ? '!scpupload' : '!scpdownload'; ## no critic (CaptureWithoutTest) ## false positive
my %keys;
osh_debug("Checking access 1/2 of $self to $machine...");
$fnret = OVH::Bastion::is_access_granted(
account => $self,
user => $user,
ipfrom => $ENV{'OSH_IP_FROM'},
ip => $ip,
port => $port,
details => 1
);
if (not $fnret) {
osh_exit 'ERR_ACCESS_DENIED', "Sorry, but you don't seem to have access to $machine";
}
# get the keys we would try
foreach my $access (@{$fnret->value || []}) {
foreach my $key (@{$access->{'sortedKeys'} || []}) {
my $keyfile = $access->{'keys'}{$key}{'fullpath'};
$keys{$keyfile}++ if -r $keyfile;
osh_debug("Checking access 1/2 keyfile: $keyfile");
}
}
osh_debug("Checking access 2/2 of $self to $userToCheck of $machine...");
$fnret = OVH::Bastion::is_access_granted(
account => $self,
user => $userToCheck,
ipfrom => $ENV{'OSH_IP_FROM'},
ip => $ip,
port => $port,
exactUserMatch => 1,
details => 1
);
if (not $fnret) {
osh_exit 'ERR_ACCESS_DENIED',
"Sorry, but even if you have ssh access to $machine, you still need to be granted specifically for scp";
}
# get the keys we would try too
foreach my $access (@{$fnret->value || []}) {
foreach my $key (@{$access->{'sortedKeys'} || []}) {
my $keyfile = $access->{'keys'}{$key}{'fullpath'};
$keys{$keyfile}++ if -r $keyfile;
osh_debug("Checking access 2/2 keyfile: $keyfile");
}
}
# now build the command
my @cmd = qw{ ssh -x -oForwardAgent=no -oPermitLocalCommand=no -oClearAllForwardings=yes };
push @cmd, ('-p', $port) if $port;
push @cmd, ('-l', $user) if $user;
my $atleastonekey = 0;
foreach my $keyfile (keys %keys) {
# only use the key if it has been seen in both allow_deny() calls, this is to avoid
# a security bypass where a user would have group access to a server, but not to the
# !scpupload special user, and we would add himself this access through selfAddPrivateAccess.
# in that case both allow_deny would return OK, but with different keys.
# we'll only use the keys that matched BOTH calls.
next unless $keys{$keyfile} == 2;
push @cmd, ('-i', $keyfile);
$atleastonekey = 1;
}
if (not $atleastonekey) {
osh_exit('KO_ACCESS_DENIED',
"Sorry, you seem to have access through ssh and through scp but by different and distinct means (distinct keys)."
. " The intersection between your rights for ssh and for scp needs to be at least one.");
}
# basic mitigation for CVE-2020-15778
if ($decoded =~ m{[\`\$\;><\|\&]}) {
osh_exit('ERR_SECURITY_VIOLATION', "Invalid characters detected, bailing out");
}
push @cmd, "--", $ip, $decoded;
print STDERR ">>> Hello $self, transferring your file through the bastion "
. ($userToCheck eq '!scpupload' ? 'to' : 'from')
. " $machine...\n";
#print STDERR join('^', @cmd)."\n";
$fnret = OVH::Bastion::execute(cmd => \@cmd, expects_stdin => 1, is_binary => 1);
if ($fnret->err ne 'OK') {
osh_exit 'ERR_TRANSFER_FAILED', "Error launching transfer: $fnret";
}
print STDERR ">>> Done, "
. $fnret->value->{'bytesnb'}{'stdin'}
. " bytes uploaded, "
. $fnret->value->{'bytesnb'}{'stdout'}
. " bytes downloaded.\n";
if ($fnret->value->{'sysret'} != 0) {
print STDERR ">>> On bastion side, scp exited with return code " . $fnret->value->{'sysret'} . ".\n";
}
# don't use osh_exit() to avoid getting a footer
exit OVH::Bastion::EXIT_OK;
Reference in a new issue View git blame Copy permalink