tailcfg, ssh/tailssh: make SSHUser value '=' map ssh-user to same local-user

Updates #3802

Change-Id: Icde60d4150ca15c25d615a4effb3d3c236f020a8
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2022-03-21 10:39:54 -07:00 committed by Brad Fitzpatrick
parent 21445b56a5
commit f7e976db55
3 changed files with 21 additions and 3 deletions

View File

@ -624,10 +624,14 @@ func matchRule(r *tailcfg.SSHRule, ci *sshConnInfo) (a *tailcfg.SSHAction, local
} }
func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser string) { func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser string) {
if v, ok := ruleSSHUsers[reqSSHUser]; ok { v, ok := ruleSSHUsers[reqSSHUser]
return v if !ok {
v = ruleSSHUsers["*"]
} }
return ruleSSHUsers["*"] if v == "=" {
return reqSSHUser
}
return v
} }
func matchesPrincipal(ps []*tailcfg.SSHPrincipal, ci *sshConnInfo) bool { func matchesPrincipal(ps []*tailcfg.SSHPrincipal, ci *sshConnInfo) bool {

View File

@ -153,6 +153,18 @@ func TestMatchRule(t *testing.T) {
ci: &sshConnInfo{uprof: &tailcfg.UserProfile{LoginName: "foo@bar.com"}}, ci: &sshConnInfo{uprof: &tailcfg.UserProfile{LoginName: "foo@bar.com"}},
wantUser: "ubuntu", wantUser: "ubuntu",
}, },
{
name: "ssh-user-equal",
rule: &tailcfg.SSHRule{
Action: someAction,
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
SSHUsers: map[string]string{
"*": "=",
},
},
ci: &sshConnInfo{sshUser: "alice"},
wantUser: "alice",
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {

View File

@ -1573,6 +1573,8 @@ type SSHRule struct {
// actual user that's logged in. // actual user that's logged in.
// If the map value is the empty string (for either the // If the map value is the empty string (for either the
// requested SSH user or "*"), the rule doesn't match. // requested SSH user or "*"), the rule doesn't match.
// If the map value is "=", it means the ssh-user should map
// directly to the local-user.
// It may be nil if the Action is reject. // It may be nil if the Action is reject.
SSHUsers map[string]string `json:"sshUsers"` SSHUsers map[string]string `json:"sshUsers"`