From cc6ccd04a7510d52a0424a49a815f17cd1bcbdc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Tue, 9 Apr 2024 15:28:20 +0000 Subject: [PATCH] feat: support wildcards in --user (fix #461) --- bin/plugin/group-aclkeeper/groupAddServer | 12 ++--- bin/plugin/group-aclkeeper/groupDelServer | 7 +-- .../group-gatekeeper/groupAddGuestAccess | 7 +-- .../group-gatekeeper/groupDelGuestAccess | 7 +-- .../restricted/accountAddPersonalAccess | 13 +++--- .../restricted/accountDelPersonalAccess | 7 +-- bin/plugin/restricted/selfAddPersonalAccess | 13 +++--- bin/plugin/restricted/selfDelPersonalAccess | 7 +-- bin/shell/osh.pl | 4 +- .../group-aclkeeper/groupAddServer.rst | 5 ++- .../restricted/accountAddPersonalAccess.rst | 4 +- .../restricted/selfAddPersonalAccess.rst | 4 +- lib/perl/OVH/Bastion.pm | 11 +++-- lib/perl/OVH/Bastion/Plugin.pm | 15 ++++--- lib/perl/OVH/Bastion/Plugin/handleSessions.pm | 2 +- lib/perl/OVH/Bastion/allowdeny.inc | 40 ++++++++++------- lib/perl/OVH/Bastion/allowkeeper.inc | 8 +++- lib/perl/OVH/Result.pm | 6 ++- tests/functional/tests.d/340-selfaccesses.sh | 44 +++++++++++++++++++ tests/functional/tests.d/350-groups.sh | 24 +++++----- 20 files changed, 159 insertions(+), 81 deletions(-) diff --git a/bin/plugin/group-aclkeeper/groupAddServer b/bin/plugin/group-aclkeeper/groupAddServer index 7302c9616..1d1948b0e 100755 --- a/bin/plugin/group-aclkeeper/groupAddServer +++ b/bin/plugin/group-aclkeeper/groupAddServer @@ -10,9 +10,10 @@ use OVH::Bastion::Plugin qw( :DEFAULT help ); use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( - argv => \@ARGV, - header => "adding a server to a group", - options => { + argv => \@ARGV, + header => "adding a server to a group", + userAllowWildcards => 1, + options => { "group=s" => \my $group, "user-any" => \my $userAny, "port-any" => \my $portAny, @@ -33,8 +34,9 @@ Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS] --group GROUP Specify which group this machine should be added to (it should have the public group key of course) --host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately, or an IP, or a whole network using the NET/CIDR notation - --user USER Specify which remote user should be allowed (root, run, etc...) - --user-any Allow any remote user (the remote user should still have the public group key in all cases) + --user USER Specify which remote user should be allowed (root, run, etc...). + Globbing characters '*' and '?' are supported. + --user-any Synonym of '--user *', allows any remote user (the remote user should still have the public group key in all cases) --port PORT Only allow access to this port (e.g. 22) --port-any Allow access to any port --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) diff --git a/bin/plugin/group-aclkeeper/groupDelServer b/bin/plugin/group-aclkeeper/groupDelServer index afaf384de..7463340b6 100755 --- a/bin/plugin/group-aclkeeper/groupDelServer +++ b/bin/plugin/group-aclkeeper/groupDelServer @@ -10,9 +10,10 @@ use OVH::Bastion::Plugin qw( :DEFAULT help ); use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( - argv => \@ARGV, - header => "removing a server from a group", - options => { + argv => \@ARGV, + header => "removing a server from a group", + userAllowWildcards => 1, + options => { "group=s" => \my $group, "user-any" => \my $userAny, "port-any" => \my $portAny, diff --git a/bin/plugin/group-gatekeeper/groupAddGuestAccess b/bin/plugin/group-gatekeeper/groupAddGuestAccess index 42ce80080..cd83ba77b 100755 --- a/bin/plugin/group-gatekeeper/groupAddGuestAccess +++ b/bin/plugin/group-gatekeeper/groupAddGuestAccess @@ -11,9 +11,10 @@ use OVH::Bastion::Plugin::groupSetRole; use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( - argv => \@ARGV, - header => "add access to one server of a group to an account", - options => { + argv => \@ARGV, + header => "add access to one server of a group to an account", + userAllowWildcards => 1, + options => { "group=s" => \my $group, "account=s" => \my $account, "user-any" => \my $userAny, diff --git a/bin/plugin/group-gatekeeper/groupDelGuestAccess b/bin/plugin/group-gatekeeper/groupDelGuestAccess index 50215e591..224cf633b 100755 --- a/bin/plugin/group-gatekeeper/groupDelGuestAccess +++ b/bin/plugin/group-gatekeeper/groupDelGuestAccess @@ -11,9 +11,10 @@ use OVH::Bastion::Plugin::groupSetRole; use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( - argv => \@ARGV, - header => "remove access from one server of a group from an account", - options => { + argv => \@ARGV, + header => "remove access from one server of a group from an account", + userAllowWildcards => 1, + options => { "group=s" => \my $group, "account=s" => \my $account, "user-any" => \my $userAny, diff --git a/bin/plugin/restricted/accountAddPersonalAccess b/bin/plugin/restricted/accountAddPersonalAccess index 5061c64ed..2173dc07c 100755 --- a/bin/plugin/restricted/accountAddPersonalAccess +++ b/bin/plugin/restricted/accountAddPersonalAccess @@ -10,10 +10,11 @@ use OVH::Bastion::Plugin qw( :DEFAULT help ); use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( - loadConfig => 1, - argv => \@ARGV, - header => "adding personal access to a server on an account", - options => { + loadConfig => 1, + argv => \@ARGV, + header => "adding personal access to a server on an account", + userAllowWildcards => 1, + options => { "account=s" => \my $account, "user-any" => \my $userAny, "port-any" => \my $portAny, @@ -32,8 +33,8 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST [OPTIONS] --account Bastion account to add the access to --host IP|HOST|IP/MASK Server to add access to - --user USER Remote login to use, if you want to allow any login, use --user-any - --user-any Allow access with any remote login + --user USER Remote login to use, globbing characters '?' and '*' are supported + --user-any Allow access with any remote login (synonym of ``--user *``) --port PORT Remote SSH port to use, if you want to allow any port, use --port-any --port-any Allow access to all remote ports --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) diff --git a/bin/plugin/restricted/accountDelPersonalAccess b/bin/plugin/restricted/accountDelPersonalAccess index 16ef164e9..381d89293 100755 --- a/bin/plugin/restricted/accountDelPersonalAccess +++ b/bin/plugin/restricted/accountDelPersonalAccess @@ -10,9 +10,10 @@ use OVH::Bastion::Plugin qw( :DEFAULT help ); use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( - argv => \@ARGV, - header => "removing personal access to a server from an account", - options => { + argv => \@ARGV, + header => "removing personal access to a server from an account", + userAllowWildcards => 1, + options => { "account=s" => \my $account, "user-any" => \my $userAny, "port-any" => \my $portAny, diff --git a/bin/plugin/restricted/selfAddPersonalAccess b/bin/plugin/restricted/selfAddPersonalAccess index 2d3a5ecf1..7e07b0a4e 100755 --- a/bin/plugin/restricted/selfAddPersonalAccess +++ b/bin/plugin/restricted/selfAddPersonalAccess @@ -10,10 +10,11 @@ use OVH::Bastion::Plugin qw( :DEFAULT help ); use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( - loadConfig => 1, - argv => \@ARGV, - header => "adding personal access to a server on your account", - options => { + loadConfig => 1, + argv => \@ARGV, + header => "adding personal access to a server on your account", + userAllowWildcards => 1, + options => { "user-any" => \my $userAny, "port-any" => \my $portAny, "scpup" => \my $scpUp, @@ -31,8 +32,8 @@ Add a personal server access on your account Usage: --osh SCRIPT_NAME --host HOST [OPTIONS] --host IP|HOST|IP/MASK Server to add access to - --user USER Remote login to use, if you want to allow any login, use --user-any - --user-any Allow access with any remote login + --user USER Remote login to use, globbing characters '?' and '*' are supported + --user-any Allow access with any remote login (synonym of ``--user *``) --port PORT Remote SSH port to use, if you want to allow any port, use --port-any --port-any Allow access to all remote ports --scpup Allow SCP upload, you--bastion-->server (omit --user in this case) diff --git a/bin/plugin/restricted/selfDelPersonalAccess b/bin/plugin/restricted/selfDelPersonalAccess index dea0d7b7e..8a42c91ab 100755 --- a/bin/plugin/restricted/selfDelPersonalAccess +++ b/bin/plugin/restricted/selfDelPersonalAccess @@ -10,9 +10,10 @@ use OVH::Bastion::Plugin qw( :DEFAULT help ); use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( - argv => \@ARGV, - header => "removing personal access to a server from an account", - options => { + argv => \@ARGV, + header => "removing personal access to a server from an account", + userAllowWildcards => 1, + options => { "user-any" => \my $userAny, "port-any" => \my $portAny, "scpup" => \my $scpUp, diff --git a/bin/shell/osh.pl b/bin/shell/osh.pl index 483851af8..81e67951e 100755 --- a/bin/shell/osh.pl +++ b/bin/shell/osh.pl @@ -595,7 +595,9 @@ sub main_exit { } } -if ($user && !OVH::Bastion::is_valid_remote_user(user => $user)) { +# for plugins (osh_command), do a first check with allowWildcards, it'll be re-done in Plugin::start with +# either allowWildcards set to 0 or 1 depending on the plugin configuration that we don't have at this stage yet +if ($user && !OVH::Bastion::is_valid_remote_user(user => $user, allowWildcards => ($osh_command ? 1 : 0))) { main_exit OVH::Bastion::EXIT_INVALID_REMOTE_USER, 'invalid_remote_user', "Remote user name '$user' seems invalid"; } if ($host && $host !~ m{^[a-zA-Z0-9._/:-]+$}) { diff --git a/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst b/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst index cc7e9dfc7..915e5db82 100644 --- a/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst +++ b/doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst @@ -25,11 +25,12 @@ Add an IP or IP block to a group's servers list or a whole network using the NET/CIDR notation .. option:: --user USER - Specify which remote user should be allowed (root, run, etc...) + Specify which remote user should be allowed (root, run, etc...). + Globbing characters '*' and '?' are supported. .. option:: --user-any - Allow any remote user (the remote user should still have the public group key in all cases) + Synonym of '--user *', allows any remote user (the remote user should still have the public group key in all cases) .. option:: --port PORT diff --git a/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst b/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst index cf47a11b6..91ef8918c 100644 --- a/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst @@ -24,11 +24,11 @@ Add a personal server access to an account .. option:: --user USER - Remote login to use, if you want to allow any login, use --user-any + Remote login to use, globbing characters '?' and '*' are supported .. option:: --user-any - Allow access with any remote login + Allow access with any remote login (synonym of ``--user *``) .. option:: --port PORT diff --git a/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst b/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst index ac674c736..4443ee50b 100644 --- a/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst +++ b/doc/sphinx/plugins/restricted/selfAddPersonalAccess.rst @@ -20,11 +20,11 @@ Add a personal server access on your account .. option:: --user USER - Remote login to use, if you want to allow any login, use --user-any + Remote login to use, globbing characters '?' and '*' are supported .. option:: --user-any - Allow access with any remote login + Allow access with any remote login (synonym of ``--user *``) .. option:: --port PORT diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index 48f4cf9d7..419856185 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -735,9 +735,14 @@ sub is_valid_port { } sub is_valid_remote_user { - my %params = @_; - my $user = $params{'user'}; - if ($user =~ /^([a-zA-Z0-9._@!-]{1,128})$/) { + my %params = @_; + my $user = $params{'user'}; + my $allowWildcards = $params{'allowWildcards'}; + + # if allowWildcards, then additional chars are allowed in the regex + my $extraChars = ($allowWildcards ? '?*' : ''); + + if ($user =~ /^([\Q${extraChars}\Ea-zA-Z0-9._@!-]{1,128})$/) { return R('OK', value => $1); } return R('ERR_INVALID_PARAMETER', msg => "Specified user doesn't seem to be valid"); diff --git a/lib/perl/OVH/Bastion/Plugin.pm b/lib/perl/OVH/Bastion/Plugin.pm index 6866bf249..f3320a08a 100644 --- a/lib/perl/OVH/Bastion/Plugin.pm +++ b/lib/perl/OVH/Bastion/Plugin.pm @@ -24,12 +24,13 @@ sub help { osh_info $_helptext; return 1; } sub begin { my %params = @_; - my $options = $params{'options'}; - my $header = $params{'header'}; - my $argv = $params{'argv'}; - my $loadConfig = $params{'loadConfig'}; - my $exitOnSignal = $params{'exitOnSignal'}; - my $helpfunc = $params{'help'}; + my $options = $params{'options'}; + my $header = $params{'header'}; + my $argv = $params{'argv'}; + my $loadConfig = $params{'loadConfig'}; + my $exitOnSignal = $params{'exitOnSignal'}; + my $helpfunc = $params{'help'}; + my $userAllowWildcards = $params{'userAllowWildcards'}; $_helptext = $params{'helptext'}; my $fnret; @@ -63,7 +64,7 @@ sub begin { # validate user, ip, port when specified, undef them otherwise (instead of '') if (defined $user && $user ne '') { - $fnret = OVH::Bastion::is_valid_remote_user(user => $user); + $fnret = OVH::Bastion::is_valid_remote_user(user => $user, allowWildcards => $userAllowWildcards); $fnret or osh_exit $fnret; $user = $fnret->value; } diff --git a/lib/perl/OVH/Bastion/Plugin/handleSessions.pm b/lib/perl/OVH/Bastion/Plugin/handleSessions.pm index 418a7cc6f..77cadcc23 100644 --- a/lib/perl/OVH/Bastion/Plugin/handleSessions.pm +++ b/lib/perl/OVH/Bastion/Plugin/handleSessions.pm @@ -45,7 +45,7 @@ sub kill_sessions { if ($problems) { return R('ERR_CANNOT_TERMINATE_PROCESSES', msg => "Couldn't terminate $problems out of $count processes"); } - return R('OK'); + return R('OK', value => {count => $count, terminated => ($count - $problems)}); } 1; diff --git a/lib/perl/OVH/Bastion/allowdeny.inc b/lib/perl/OVH/Bastion/allowdeny.inc index da25a0cc3..11f7dbdc4 100644 --- a/lib/perl/OVH/Bastion/allowdeny.inc +++ b/lib/perl/OVH/Bastion/allowdeny.inc @@ -80,9 +80,9 @@ sub is_access_way_granted { my $ignoreUser = $params{'ignoreUser'}; # ignore remote user COMPLETELY (plop@, or root@, or @ will all match) my $ignorePort = $params{'ignorePort'}; # ignore port COMPLETELY (port 22, 2345, or port-wildcard will all match) - my $wantedUser = $params{'user'}; # if undef, means we look for a user wildcard allow + my $wantedUser = $params{'user'}; # if undef, means we look for a user-any allow my $wantedIp = $params{'ip'}; # can be a single IP or a prefix - my $wantedPort = $params{'port'}; # if undef, means we look for a port wildcard allow + my $wantedPort = $params{'port'}; # if undef, means we look for a port-any allow my $way = $params{'way'}; # personal|group|groupguest|legacy my $group = $params{'group'}; # only meaningful and needed if type=group or type=groupguest @@ -124,7 +124,6 @@ sub is_access_way_granted { # if we get ignorePort, we skip the checks entirely if (not $ignorePort) { if ($exactPortMatch) { - # we want an exact match if (not defined $allowedPort) { if (not defined $wantedPort) { @@ -144,7 +143,7 @@ sub is_access_way_granted { } } else { - # we don't want an exact match (aka wildcards allowed) + # we don't want an exact match (aka port-any allowed) if (not defined $allowedPort) { ; # it's a wildcard, will always match } @@ -163,7 +162,6 @@ sub is_access_way_granted { # if we get ignoreUser, we skip the checks entirely if (not $ignoreUser) { if ($exactUserMatch) { - # we want an exact match if (not defined $allowedUser) { if (not defined $wantedUser) { @@ -183,7 +181,7 @@ sub is_access_way_granted { } } else { - # we don't want an exact match (aka wildcards allowed) + # we don't want an exact match (aka user-any allowed) if (not defined $allowedUser) { ; # it's a wildcard, will always match } @@ -192,7 +190,18 @@ sub is_access_way_granted { next; # we want a wildcard, but we don't have it } else { - next if ($wantedUser ne $allowedUser); # both defined but unequal, not a match + # handle the case where $allowedUser contains wildcards such as '?' or '*' + if (index($allowedUser, '*') >= 0 || index($allowedUser, '?') >= 0) { + # turn wildcards into a regexp + my $allowedUserRe = quotemeta($allowedUser); + $allowedUserRe =~ s{\\\?}{.}g; + $allowedUserRe =~ s{\\\*}{.*}g; + next if ($wantedUser !~ /^$allowedUserRe$/); + } + else { + # doesn't contain a wildcard, simple comparison + next if ($wantedUser ne $allowedUser); # both defined but unequal, not a match + } } } } @@ -574,8 +583,8 @@ sub print_acls { $entry->{'reverseDns'} = $ipReverse; my @row = ( - $ipReverse ? $ipReverse : $entry->{'ip'}, $entry->{'port'} ? $entry->{'port'} : '(any)', - $entry->{'user'} ? $entry->{'user'} : '(any)', $accessType, + $ipReverse ? $ipReverse : $entry->{'ip'}, $entry->{'port'} ? $entry->{'port'} : '*', + $entry->{'user'} ? $entry->{'user'} : '*', $accessType, $addedBy, $addedDate, $expiry, $entry->{'userComment'} || '-', $forceKey, $forcePassword @@ -937,10 +946,15 @@ sub ssh_test_access_way { $user = OVH::Bastion::config("defaultLogin")->value if not $user; $user = $account if not $user; # defaultLogin empty means the user himself $user = OVH::Bastion::get_user_from_env()->value if not $user; # no user or account ? get from env then - $fnret = OVH::Bastion::is_valid_remote_user(user => $user); + $fnret = OVH::Bastion::is_valid_remote_user(user => $user, allowWildcards => 1); $fnret or return $fnret; $user = $fnret->value; + # skip special users and wildcarded-users which are not actual remote users + if ((grep { $user eq $_ } qw{ !scpupload !scpdownload !sftp }) || ($user =~ /[*?]/)) { + return R('OK_MAGIC_USER', msg => "Didn't really test the connection, as the specified user is special"); + } + if ($group) { $fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => "key"); $fnret or return $fnret; @@ -976,10 +990,6 @@ sub ssh_test_access_way { ); } - if (grep { $user eq $_ } qw{ !scpupload !scpdownload !sftp }) { - return R('OK_MAGIC_USER', msg => "Didn't really test the connection, as the specified user is special"); - } - my $preferredAuthentications = 'publickey'; $preferredAuthentications .= ',keyboard-interactive' if $ENV{'OSH_KBD_INTERACTIVE'}; @@ -1285,7 +1295,7 @@ sub _get_acl_from_file { # extract custom user if present if ($line =~ s/^(\S+)\@//) { - $fnret = OVH::Bastion::is_valid_remote_user(user => $1); + $fnret = OVH::Bastion::is_valid_remote_user(user => $1, allowWildcards => 1); if (!$fnret) { osh_debug("skipping line <$line> because user ($1) is invalid"); next; diff --git a/lib/perl/OVH/Bastion/allowkeeper.inc b/lib/perl/OVH/Bastion/allowkeeper.inc index 76202e8ba..e878ae99b 100644 --- a/lib/perl/OVH/Bastion/allowkeeper.inc +++ b/lib/perl/OVH/Bastion/allowkeeper.inc @@ -339,6 +339,11 @@ sub access_modify { undef $user if (defined $user && $user eq ''); undef $port if (defined $port && $port eq ''); + # allow wildcards, but standardize full wildcard to user=undef + if ($user && $user =~ m{^\*+$}) { + undef $user; + } + # check way if ($way eq 'personal') { return R('ERR_INVALID_PARAMETER', msg => "Group parameter specified with way=personal") if defined $group; @@ -390,7 +395,7 @@ sub access_modify { # check remote user if (defined $user) { - $fnret = OVH::Bastion::is_valid_remote_user(user => $user); + $fnret = OVH::Bastion::is_valid_remote_user(user => $user, allowWildcards => 1); return $fnret unless $fnret; $user = $fnret->value; } @@ -398,7 +403,6 @@ sub access_modify { # check account my ($remoteaccount, $sysaccount); if (defined $account) { - # accountType==normal : account must NOT be a realm_* account (but can be a realm/jdoe account) $fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account, accountType => 'normal'); $fnret or return $fnret; diff --git a/lib/perl/OVH/Result.pm b/lib/perl/OVH/Result.pm index f13b0da2c..ea45e401b 100644 --- a/lib/perl/OVH/Result.pm +++ b/lib/perl/OVH/Result.pm @@ -31,14 +31,16 @@ sub new { ## no critic (ArgUnpacking) # uncomment this and 'use Carp' above to trace results, # slows down code and gets noticeable on very busy bastions - # trace => Carp::longmess("new Result"), + # trace => Carp::longmess("new Result"), }; bless $Object, 'OVH::Result'; # uncomment this and 'use Carp' above to print on STDERR any non-OK result # that is generated by any function, helpful to debug complex new features - # print STDERR Carp::longmess("$0 R[" . ($err ? $err : '') . " " . ($value ? $value : '') . " " . ($msg ? $msg : '')) if (!$silent && !$Object->is_ok()); + # if (!$silent && !$Object->is_ok()) { + # print STDERR Carp::longmess(sprintf("%s R[%s %s %s]", $0, $err // '', $value // '', $msg // '')); + # } return $Object; } diff --git a/tests/functional/tests.d/340-selfaccesses.sh b/tests/functional/tests.d/340-selfaccesses.sh index ea4308fd7..5a3409c51 100644 --- a/tests/functional/tests.d/340-selfaccesses.sh +++ b/tests/functional/tests.d/340-selfaccesses.sh @@ -380,6 +380,50 @@ testsuite_selfaccesses() nocontain "Permission denied" contain "$randomstr" + # user wildcards + + success a0_add_access_wild1 $a0 --osh selfAddPersonalAccess -h 127.6.4.2 -u "prefix-*" -p 101 + json .command selfAddPersonalAccess .error_code OK .value.ip 127.6.4.2 .value.user "prefix-*" .value.port 101 + + success a0_add_access_wild1_dupe $a0 --osh selfAddPersonalAccess -h 127.6.4.2 -u "prefix-*" -p 101 + json .command selfAddPersonalAccess .error_code OK_NO_CHANGE + + success a0_add_access_wild2 $a0 --osh selfAddPersonalAccess -h 127.6.4.2 -u "a?b?c" -p 102 + json .command selfAddPersonalAccess .error_code OK .value.ip 127.6.4.2 .value.user "a?b?c" .value.port 102 + + run a0_test_ssh_wild1 $a0 prefix-12@127.6.4.2 -p 101 + contain "allowed ... log on" + + run a0_test_ssh_wild2 $a0 prefix-@127.6.4.2 -p 101 + contain "allowed ... log on" + + run a0_test_ssh_wild3 $a0 a_b_c@127.6.4.2 -p 102 + contain "allowed ... log on" + + run a0_test_ssh_wild4 $a0 a_b_c_no@127.6.4.2 -p 102 + nocontain "allowed ... log on" + + run a0_test_ssh_wild5 $a0 denied@127.6.4.2 -p 102 + nocontain "allowed ... log on" + + run a0_test_ssh_wild6 $a0 a_b_c@127.6.4.2 -p 101 + nocontain "allowed ... log on" + + run a0_test_ssh_wild7 $a0 'prefix-*@127.6.4.2' -p 101 + retvalshouldbe 127 + json .error_code KO_INVALID_REMOTE_USER + + success a0_del_access_wild1 $a0 --osh selfDelPersonalAccess -h 127.6.4.2 -u "prefix-*" -p 101 + json .command selfDelPersonalAccess .error_code OK .value.ip 127.6.4.2 .value.user "prefix-*" .value.port 101 + + success a0_del_access_wild2 $a0 --osh selfDelPersonalAccess -h 127.6.4.2 -u "a?b?c" -p 102 + json .command selfDelPersonalAccess .error_code OK .value.ip 127.6.4.2 .value.user "a?b?c" .value.port 102 + + success a0_del_access_wild2_dupe $a0 --osh selfDelPersonalAccess -h 127.6.4.2 -u "a?b?c" -p 102 + json .command selfDelPersonalAccess .error_code OK_NO_CHANGE + + # /user wildcards + success mustwork $a0 -osh selfDelPersonalAccess -h 127.0.0.2 -u $shellaccount -p 226 contain "Access to $shellaccount@127.0.0.2:226" json .command selfDelPersonalAccess .error_code OK .value.ip 127.0.0.2 .value.user $shellaccount .value.port 226 diff --git a/tests/functional/tests.d/350-groups.sh b/tests/functional/tests.d/350-groups.sh index 4cc19d57a..1081b233b 100644 --- a/tests/functional/tests.d/350-groups.sh +++ b/tests/functional/tests.d/350-groups.sh @@ -871,11 +871,11 @@ EOS success a3_list_own_accesses $a3 --osh selfListAccesses json .command selfListAccesses .error_code OK - contain REGEX '77\.66\.55\.0/24[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]' - contain REGEX '1\.2\.3\.4[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]' - contain REGEX '77\.66\.55\.4[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]' + contain REGEX '77\.66\.55\.0/24[[:space:]]+\*[[:space:]]+\*[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]' + contain REGEX '1\.2\.3\.4[[:space:]]+\*[[:space:]]+\*[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]' + contain REGEX '77\.66\.55\.4[[:space:]]+\*[[:space:]]+\*[[:space:]]+personal[[:space:]]+'$account0'[[:space:]]' contain REGEX '127\.0\.0\.1[[:space:]]+22[[:space:]]+g1[[:space:]]+'$group1'\(group-guest\)[[:space:]]+'$account2'[[:space:]]' - contain REGEX '10\.20\.0\.0/17[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group3'\(group-member\)[[:space:]]+'$account3'[[:space:]]' + contain REGEX '10\.20\.0\.0/17[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group3'\(group-member\)[[:space:]]+'$account3'[[:space:]]' contain "5 accesses listed" run notingroup $a1 --osh accountDelete --account $account2 @@ -1009,9 +1009,9 @@ EOS json .command groupListServers .error_code OK contain REGEX '127\.0\.0\.1[[:space:]]+22[[:space:]]+g1[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]' contain REGEX '127\.0\.0\.2[[:space:]]+22[[:space:]]+g2[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]' - contain REGEX '127\.0\.0\.10[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' - contain REGEX '127\.0\.0\.11[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' - contain REGEX '127\.0\.0\.12[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]+\S+[[:space:]]+00:00:[01][0123456789]' + contain REGEX '127\.0\.0\.10[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' + contain REGEX '127\.0\.0\.11[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' + contain REGEX '127\.0\.0\.12[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]+\S+[[:space:]]+00:00:[01][0123456789]' contain '5 accesses listed' # wait for the access to expire @@ -1022,16 +1022,16 @@ EOS json .command groupListServers .error_code OK contain REGEX '127\.0\.0\.1[[:space:]]+22[[:space:]]+g1[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]' contain REGEX '127\.0\.0\.2[[:space:]]+22[[:space:]]+g2[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]' - contain REGEX '127\.0\.0\.10[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' - contain REGEX '127\.0\.0\.11[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' - nocontain REGEX '127\.0\.0\.12[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' + contain REGEX '127\.0\.0\.10[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' + contain REGEX '127\.0\.0\.11[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' + nocontain REGEX '127\.0\.0\.12[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' contain '4 accesses listed' success include $a1 --osh groupListServers --group $group1 --include 127.0.0.1 json .command groupListServers .error_code OK contain REGEX '127\.0\.0\.1[[:space:]]+22[[:space:]]+g1[[:space:]]+'$group1'\(group\)[[:space:]]+'$account2'[[:space:]]' - contain REGEX '127\.0\.0\.10[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' - contain REGEX '127\.0\.0\.11[[:space:]]+\(any\)[[:space:]]+\(any\)[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' + contain REGEX '127\.0\.0\.10[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' + contain REGEX '127\.0\.0\.11[[:space:]]+\*[[:space:]]+\*[[:space:]]+'$group1'\(group\)[[:space:]]+'$account1'[[:space:]]' contain '3 accesses listed' success include_exclude $a1 --osh groupListServers --group $group1 --include 127.0.0.1 --exclude 127.0.0.10 --exclude 127.?.0.11