mirror of
https://github.com/tailscale/tailscale.git
synced 2025-03-25 18:51:01 +00:00
ssh/tailssh: rename sshContext to sshConnInfo
So it's not confused for a context.Context and we can add contexts later and not look like we have two. Updates #3802 Change-Id: Icf229ae2c020d173f3cbf09a13ccd03a60cbb85e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
Brad Fitzpatrick
parent
8175504584
commit
1b5bb2e81d
@ -141,14 +141,14 @@ func (srv *server) handleSSH(s ssh.Session) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
srcIP := srcIPP.IP()
|
srcIP := srcIPP.IP()
|
||||||
sctx := &sshContext{
|
ci := &sshConnInfo{
|
||||||
now: time.Now(),
|
now: time.Now(),
|
||||||
sshUser: sshUser,
|
sshUser: sshUser,
|
||||||
srcIP: srcIP,
|
srcIP: srcIP,
|
||||||
node: node,
|
node: node,
|
||||||
uprof: &uprof,
|
uprof: &uprof,
|
||||||
}
|
}
|
||||||
action, localUser, ok := evalSSHPolicy(pol, sctx)
|
action, localUser, ok := evalSSHPolicy(pol, ci)
|
||||||
if ok && action.Message != "" {
|
if ok && action.Message != "" {
|
||||||
io.WriteString(s.Stderr(), strings.Replace(action.Message, "\n", "\r\n", -1))
|
io.WriteString(s.Stderr(), strings.Replace(action.Message, "\n", "\r\n", -1))
|
||||||
}
|
}
|
||||||
@ -264,7 +264,7 @@ func setWinsize(f *os.File, w, h int) {
|
|||||||
uintptr(unsafe.Pointer(&struct{ h, w, x, y uint16 }{uint16(h), uint16(w), 0, 0})))
|
uintptr(unsafe.Pointer(&struct{ h, w, x, y uint16 }{uint16(h), uint16(w), 0, 0})))
|
||||||
}
|
}
|
||||||
|
|
||||||
type sshContext struct {
|
type sshConnInfo struct {
|
||||||
// now is the time to consider the present moment for the
|
// now is the time to consider the present moment for the
|
||||||
// purposes of rule evaluation.
|
// purposes of rule evaluation.
|
||||||
now time.Time
|
now time.Time
|
||||||
@ -282,9 +282,9 @@ type sshContext struct {
|
|||||||
uprof *tailcfg.UserProfile
|
uprof *tailcfg.UserProfile
|
||||||
}
|
}
|
||||||
|
|
||||||
func evalSSHPolicy(pol *tailcfg.SSHPolicy, sctx *sshContext) (a *tailcfg.SSHAction, localUser string, ok bool) {
|
func evalSSHPolicy(pol *tailcfg.SSHPolicy, ci *sshConnInfo) (a *tailcfg.SSHAction, localUser string, ok bool) {
|
||||||
for _, r := range pol.Rules {
|
for _, r := range pol.Rules {
|
||||||
if a, localUser, err := matchRule(r, sctx); err == nil {
|
if a, localUser, err := matchRule(r, ci); err == nil {
|
||||||
return a, localUser, true
|
return a, localUser, true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -300,21 +300,21 @@ var (
|
|||||||
errUserMatch = errors.New("user didn't match")
|
errUserMatch = errors.New("user didn't match")
|
||||||
)
|
)
|
||||||
|
|
||||||
func matchRule(r *tailcfg.SSHRule, sctx *sshContext) (a *tailcfg.SSHAction, localUser string, err error) {
|
func matchRule(r *tailcfg.SSHRule, ci *sshConnInfo) (a *tailcfg.SSHAction, localUser string, err error) {
|
||||||
if r == nil {
|
if r == nil {
|
||||||
return nil, "", errNilRule
|
return nil, "", errNilRule
|
||||||
}
|
}
|
||||||
if r.Action == nil {
|
if r.Action == nil {
|
||||||
return nil, "", errNilAction
|
return nil, "", errNilAction
|
||||||
}
|
}
|
||||||
if r.RuleExpires != nil && sctx.now.After(*r.RuleExpires) {
|
if r.RuleExpires != nil && ci.now.After(*r.RuleExpires) {
|
||||||
return nil, "", errRuleExpired
|
return nil, "", errRuleExpired
|
||||||
}
|
}
|
||||||
if !matchesPrincipal(r.Principals, sctx) {
|
if !matchesPrincipal(r.Principals, ci) {
|
||||||
return nil, "", errPrincipalMatch
|
return nil, "", errPrincipalMatch
|
||||||
}
|
}
|
||||||
if !r.Action.Reject || r.SSHUsers != nil {
|
if !r.Action.Reject || r.SSHUsers != nil {
|
||||||
localUser = mapLocalUser(r.SSHUsers, sctx.sshUser)
|
localUser = mapLocalUser(r.SSHUsers, ci.sshUser)
|
||||||
if localUser == "" {
|
if localUser == "" {
|
||||||
return nil, "", errUserMatch
|
return nil, "", errUserMatch
|
||||||
}
|
}
|
||||||
@ -329,7 +329,7 @@ func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser
|
|||||||
return ruleSSHUsers["*"]
|
return ruleSSHUsers["*"]
|
||||||
}
|
}
|
||||||
|
|
||||||
func matchesPrincipal(ps []*tailcfg.SSHPrincipal, sctx *sshContext) bool {
|
func matchesPrincipal(ps []*tailcfg.SSHPrincipal, ci *sshConnInfo) bool {
|
||||||
for _, p := range ps {
|
for _, p := range ps {
|
||||||
if p == nil {
|
if p == nil {
|
||||||
continue
|
continue
|
||||||
@ -337,15 +337,15 @@ func matchesPrincipal(ps []*tailcfg.SSHPrincipal, sctx *sshContext) bool {
|
|||||||
if p.Any {
|
if p.Any {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
if !p.Node.IsZero() && sctx.node != nil && p.Node == sctx.node.StableID {
|
if !p.Node.IsZero() && ci.node != nil && p.Node == ci.node.StableID {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
if p.NodeIP != "" {
|
if p.NodeIP != "" {
|
||||||
if ip, _ := netaddr.ParseIP(p.NodeIP); ip == sctx.srcIP {
|
if ip, _ := netaddr.ParseIP(p.NodeIP); ip == ci.srcIP {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if p.UserLogin != "" && sctx.uprof != nil && sctx.uprof.LoginName == p.UserLogin {
|
if p.UserLogin != "" && ci.uprof != nil && ci.uprof.LoginName == p.UserLogin {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -20,7 +20,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
tests := []struct {
|
tests := []struct {
|
||||||
name string
|
name string
|
||||||
rule *tailcfg.SSHRule
|
rule *tailcfg.SSHRule
|
||||||
ctx *sshContext
|
ci *sshConnInfo
|
||||||
wantErr error
|
wantErr error
|
||||||
wantUser string
|
wantUser string
|
||||||
}{
|
}{
|
||||||
@ -40,7 +40,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
Action: someAction,
|
Action: someAction,
|
||||||
RuleExpires: timePtr(time.Unix(100, 0)),
|
RuleExpires: timePtr(time.Unix(100, 0)),
|
||||||
},
|
},
|
||||||
ctx: &sshContext{now: time.Unix(200, 0)},
|
ci: &sshConnInfo{now: time.Unix(200, 0)},
|
||||||
wantErr: errRuleExpired,
|
wantErr: errRuleExpired,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -56,7 +56,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
Action: someAction,
|
Action: someAction,
|
||||||
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
||||||
},
|
},
|
||||||
ctx: &sshContext{sshUser: "alice"},
|
ci: &sshConnInfo{sshUser: "alice"},
|
||||||
wantErr: errUserMatch,
|
wantErr: errUserMatch,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -68,7 +68,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
"*": "ubuntu",
|
"*": "ubuntu",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
ctx: &sshContext{sshUser: "alice"},
|
ci: &sshConnInfo{sshUser: "alice"},
|
||||||
wantUser: "ubuntu",
|
wantUser: "ubuntu",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -83,7 +83,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
"*": "ubuntu",
|
"*": "ubuntu",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
ctx: &sshContext{sshUser: "alice"},
|
ci: &sshConnInfo{sshUser: "alice"},
|
||||||
wantUser: "ubuntu",
|
wantUser: "ubuntu",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -96,7 +96,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
"alice": "thealice",
|
"alice": "thealice",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
ctx: &sshContext{sshUser: "alice"},
|
ci: &sshConnInfo{sshUser: "alice"},
|
||||||
wantUser: "thealice",
|
wantUser: "thealice",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -105,7 +105,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
||||||
Action: &tailcfg.SSHAction{Reject: true},
|
Action: &tailcfg.SSHAction{Reject: true},
|
||||||
},
|
},
|
||||||
ctx: &sshContext{sshUser: "alice"},
|
ci: &sshConnInfo{sshUser: "alice"},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "match-principal-node-ip",
|
name: "match-principal-node-ip",
|
||||||
@ -114,7 +114,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
Principals: []*tailcfg.SSHPrincipal{{NodeIP: "1.2.3.4"}},
|
Principals: []*tailcfg.SSHPrincipal{{NodeIP: "1.2.3.4"}},
|
||||||
SSHUsers: map[string]string{"*": "ubuntu"},
|
SSHUsers: map[string]string{"*": "ubuntu"},
|
||||||
},
|
},
|
||||||
ctx: &sshContext{srcIP: netaddr.MustParseIP("1.2.3.4")},
|
ci: &sshConnInfo{srcIP: netaddr.MustParseIP("1.2.3.4")},
|
||||||
wantUser: "ubuntu",
|
wantUser: "ubuntu",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -124,7 +124,7 @@ func TestMatchRule(t *testing.T) {
|
|||||||
Principals: []*tailcfg.SSHPrincipal{{Node: "some-node-ID"}},
|
Principals: []*tailcfg.SSHPrincipal{{Node: "some-node-ID"}},
|
||||||
SSHUsers: map[string]string{"*": "ubuntu"},
|
SSHUsers: map[string]string{"*": "ubuntu"},
|
||||||
},
|
},
|
||||||
ctx: &sshContext{node: &tailcfg.Node{StableID: "some-node-ID"}},
|
ci: &sshConnInfo{node: &tailcfg.Node{StableID: "some-node-ID"}},
|
||||||
wantUser: "ubuntu",
|
wantUser: "ubuntu",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -134,13 +134,13 @@ func TestMatchRule(t *testing.T) {
|
|||||||
Principals: []*tailcfg.SSHPrincipal{{UserLogin: "foo@bar.com"}},
|
Principals: []*tailcfg.SSHPrincipal{{UserLogin: "foo@bar.com"}},
|
||||||
SSHUsers: map[string]string{"*": "ubuntu"},
|
SSHUsers: map[string]string{"*": "ubuntu"},
|
||||||
},
|
},
|
||||||
ctx: &sshContext{uprof: &tailcfg.UserProfile{LoginName: "foo@bar.com"}},
|
ci: &sshConnInfo{uprof: &tailcfg.UserProfile{LoginName: "foo@bar.com"}},
|
||||||
wantUser: "ubuntu",
|
wantUser: "ubuntu",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
got, gotUser, err := matchRule(tt.rule, tt.ctx)
|
got, gotUser, err := matchRule(tt.rule, tt.ci)
|
||||||
if err != tt.wantErr {
|
if err != tt.wantErr {
|
||||||
t.Errorf("err = %v; want %v", err, tt.wantErr)
|
t.Errorf("err = %v; want %v", err, tt.wantErr)
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user