diff --git a/.github/workflows/tests_basic.yml b/.github/workflows/tests_basic.yml index ad4361de9..24c01d5ad 100644 --- a/.github/workflows/tests_basic.yml +++ b/.github/workflows/tests_basic.yml @@ -5,7 +5,7 @@ on: [push, pull_request] jobs: test: name: perlcritic, perltidy, shellcheck, doc - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 timeout-minutes: 10 steps: - uses: actions/checkout@v4 diff --git a/bin/admin/check-consistency.pl b/bin/admin/check-consistency.pl index 48008ba06..75c23f88e 100755 --- a/bin/admin/check-consistency.pl +++ b/bin/admin/check-consistency.pl @@ -18,14 +18,14 @@ # generate a uniq prefix based on caller's lineno and caller's caller's lineno, useful to grep or grep -v sub _prefix { return uc(unpack('H*', pack('S', (caller(1))[2])) . unpack('H*', pack('S', (caller(2))[2]))) . ": "; } -sub info { print $_[0] . "\n"; return 1; } -sub _wrn { $bad++; print colored(_prefix() . $_[0], "blue") . "\n"; return 1; } ## no critic (ProhibitUnusedPrivateSubroutine) +sub info { print $_[0] . "\n"; return 1; } +sub _wrn { $bad++; print colored(_prefix() . $_[0], "blue") . "\n"; return 1; } ## no critic (ProhibitUnusedPrivateSubroutine) sub _err { $bad++; print colored(_prefix() . $_[0], "red") . "\n"; return 1; } sub _crit { $bad++; print colored(_prefix() . $_[0], "bold red") . "\n"; return 1; } # Linux and BSD don't always have the same account names for UID/GID 0 -my ($UID0) = (qx{getent passwd 0})[0] =~ /^([^:]+)/; ## no critic (ProhibitBacktickOperators) -my ($GID0) = (qx{getent group 0})[0] =~ /^([^:]+)/; ## no critic (ProhibitBacktickOperators) +my ($UID0) = (qx{getent passwd 0})[0] =~ /^([^:]+)/; ## no critic (ProhibitBacktickOperators) +my ($GID0) = (qx{getent group 0})[0] =~ /^([^:]+)/; ## no critic (ProhibitBacktickOperators) my $islinux = (($^O =~ /linux/i) ? 1 : 0); my $hasacls = (($^O =~ /linux|freebsd/i) ? 1 : 0); @@ -175,7 +175,7 @@ $ALL_FILES{$_} = 1; } while (my $homedir = glob '/home/*') { - -d $homedir or next; + -d $homedir or next; -d "$homedir/ttyrec" or next; next if $homedir eq '/home/proxyhttp'; next if $homedir eq '/home/healthcheck'; @@ -284,7 +284,7 @@ sub check_file_rights { } if (!$hasacls) { - my ($modes, $owner, $group) = (qx{ls -ld $file})[0] =~ m{(\S+)\s+\d+\s+(\S+)\s+(\S+)}; ## no critic (ProhibitBacktickOperators) + my ($modes, $owner, $group) = (qx{ls -ld $file})[0] =~ m{(\S+)\s+\d+\s+(\S+)\s+(\S+)}; ## no critic (ProhibitBacktickOperators) if ($modes ne $expectedmodes) { $ok = 0; _err "on $file got $modes wanted $expectedmodes"; } if ($owner ne $expectedowner) { $ok = 0; _err "on $file got $owner wanted $expectedowner"; } if ($group ne $expectedgroup) { $ok = 0; _err "on $file got $group wanted $expectedgroup"; } @@ -437,7 +437,7 @@ sub check_file_rights { "/home/allowkeeper", [ "# file: /home/allowkeeper", "# owner: allowkeeper", "# group: allowkeeper", "user::rwx", - "group::r-x", "other::r-x", + "group::r-x", "other::r-x", ], "drwxr-xr-x", "allowkeeper", diff --git a/bin/admin/check_uid_gid_collisions.pl b/bin/admin/check_uid_gid_collisions.pl index 5227d6ddf..058f64592 100755 --- a/bin/admin/check_uid_gid_collisions.pl +++ b/bin/admin/check_uid_gid_collisions.pl @@ -250,10 +250,10 @@ sub handle_list { push @cmds, sprintf("find \$fslist -xdev -ignore_readdir_race -%s %d -ls -exec %s %d '{}' +", lc($idtype), $master_id, $ch, $new_local_id); - push @cmds, sprintf("pkill -%s %s && sleep 1", $type eq 'pw' ? 'U' : 'G', $local_name); - push @cmds, sprintf("usermod --uid %d %s", $new_local_id, $local_name) if $type eq 'pw'; - push @cmds, sprintf("groupmod --gid %d %s", $new_local_id, $local_name) if $type eq 'gr'; - push @grepcmds, sprintf("pgrep -%s %s", $type eq 'pw' ? 'U' : 'G', $local_name); + push @cmds, sprintf("pkill -%s %s && sleep 1", $type eq 'pw' ? 'U' : 'G', $local_name); + push @cmds, sprintf("usermod --uid %d %s", $new_local_id, $local_name) if $type eq 'pw'; + push @cmds, sprintf("groupmod --gid %d %s", $new_local_id, $local_name) if $type eq 'gr'; + push @grepcmds, sprintf("pgrep -%s %s", $type eq 'pw' ? 'U' : 'G', $local_name); # and we ask our caller to call us again as we've changed the local ID for this account or group say "-> okay, offsetting local UID $master_id to $new_local_id"; return 0; @@ -287,10 +287,10 @@ sub handle_list { push @cmds, sprintf("find \$fslist -xdev -ignore_readdir_race -%s %d -ls -exec %s %d '{}' +", lc($idtype), $local_id, $ch, $master_id); - push @cmds, sprintf("pkill -%s %s && sleep 1", $type eq 'pw' ? 'U' : 'G', $master_name); - push @cmds, sprintf("usermod --uid %d %s", $master_id, $master_name) if $type eq 'pw'; - push @cmds, sprintf("groupmod --gid %d %s", $master_id, $master_name) if $type eq 'gr'; - push @grepcmds, sprintf("pgrep -%s %s", $type eq 'pw' ? 'U' : 'G', $master_name); + push @cmds, sprintf("pkill -%s %s && sleep 1", $type eq 'pw' ? 'U' : 'G', $master_name); + push @cmds, sprintf("usermod --uid %d %s", $master_id, $master_name) if $type eq 'pw'; + push @cmds, sprintf("groupmod --gid %d %s", $master_id, $master_name) if $type eq 'gr'; + push @grepcmds, sprintf("pgrep -%s %s", $type eq 'pw' ? 'U' : 'G', $master_name); say "-> okay, setting local $idtype of $master_name to $master_id instead of $local_id"; # and we ask our caller to call us again as we've changed the local ID for this account or group return 0; diff --git a/bin/admin/osh-sync-watcher.sh b/bin/admin/osh-sync-watcher.sh index 671741ce5..216878a1f 100755 --- a/bin/admin/osh-sync-watcher.sh +++ b/bin/admin/osh-sync-watcher.sh @@ -111,7 +111,7 @@ do _log "... got event, syncing in 3 secs!" sleep 3 else - _warn "... got weird return value $? (maxfiles=$maxfiles); sleeping a bit..." + _warn "... got weird return value $ret (maxfiles=$maxfiles); sleeping a bit..." sleep "$timeout" fi # sanity check myself before diff --git a/bin/admin/setup-gpg.sh b/bin/admin/setup-gpg.sh index 185d4c24c..84ff3c75b 100755 --- a/bin/admin/setup-gpg.sh +++ b/bin/admin/setup-gpg.sh @@ -197,5 +197,3 @@ case "$1" in "") do_usage; exit 0;; *) echo "Unknown command '$1'" >&2; echo; do_usage; exit 1;; esac - -exit 0 diff --git a/bin/cron/osh-cleanup-guest-key-access.pl b/bin/cron/osh-cleanup-guest-key-access.pl index 765a23b19..673ab15b2 100755 --- a/bin/cron/osh-cleanup-guest-key-access.pl +++ b/bin/cron/osh-cleanup-guest-key-access.pl @@ -148,10 +148,10 @@ sub print_usage { # remove account from group my @command = qw{ /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupSetRole'; - push @command, '--type', 'guest'; - push @command, '--group', $group; + push @command, '--type', 'guest'; + push @command, '--group', $group; push @command, '--account', $account; - push @command, '--action', 'del'; + push @command, '--action', 'del'; $fnret = OVH::Bastion::helper(cmd => \@command); if (!$fnret) { diff --git a/bin/cron/osh-encrypt-rsync.pl b/bin/cron/osh-encrypt-rsync.pl index 0842ed5e8..24873581b 100755 --- a/bin/cron/osh-encrypt-rsync.pl +++ b/bin/cron/osh-encrypt-rsync.pl @@ -41,7 +41,7 @@ sub gpg_sign { my %params = @_; my @cmd = qw{ gpg --batch --trust-model always --sign --passphrase-fd 0 }; push @cmd, qw{ --pinentry-mode loopback } if is_new_gpg(); - push @cmd, "-v" if $verbose >= 2; + push @cmd, "-v" if $verbose >= 2; push @cmd, '--local-user', $params{'signkey'}, '--output', '-', $params{'infile'}; my $outfile; diff --git a/bin/dev/shell-check.sh b/bin/dev/shell-check.sh index 7ef9aff05..e168aab7d 100755 --- a/bin/dev/shell-check.sh +++ b/bin/dev/shell-check.sh @@ -19,7 +19,8 @@ cd "$basedir" || exit 254 if [ "${1:-system}" = system ]; then unset dockertag elif [ "$1" = docker ]; then - dockertag=v0.8.0 + # this is the version shipped with Ubuntu 24.04 + dockertag=v0.9.0 else dockertag="$1" fi diff --git a/bin/helper/osh-accountCreate b/bin/helper/osh-accountCreate index 0dfef58a1..48a9194c1 100755 --- a/bin/helper/osh-accountCreate +++ b/bin/helper/osh-accountCreate @@ -7,7 +7,7 @@ #>HEADER use common::sense; -use Getopt::Long qw(:config no_auto_abbrev no_ignore_case); +use Getopt::Long qw(:config no_auto_abbrev no_ignore_case); use Sys::Hostname (); use JSON; use POSIX (); @@ -28,12 +28,12 @@ my ( eval { local $SIG{__WARN__} = sub { push @optwarns, shift }; $result = GetOptions( - "force-key-from=s" => sub { $forceKeyFrom //= $_[1] }, # only to be used by the install script - "type=s" => sub { $type //= $_[1] }, - "from=s" => sub { $realmFrom //= $_[1] }, - "uid=s" => sub { $uid //= $_[1] }, - "account=s" => sub { $account //= $_[1] }, - "always-active" => sub { $alwaysActive //= $_[1] }, + "force-key-from=s" => sub { $forceKeyFrom //= $_[1] }, # only to be used by the install script + "type=s" => sub { $type //= $_[1] }, + "from=s" => sub { $realmFrom //= $_[1] }, + "uid=s" => sub { $uid //= $_[1] }, + "account=s" => sub { $account //= $_[1] }, + "always-active" => sub { $alwaysActive //= $_[1] }, "pubKey=s" => \@pubKeys, "comment=s" => sub { $comment //= $_[1] }, 'uid-auto' => sub { $uidAuto //= $_[1] }, @@ -87,11 +87,11 @@ $account = $fnret->value->{'account'}; $fnret = OVH::Bastion::is_account_existing(account => $account); $fnret->is_err and HEXIT($fnret); -$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The account $account already exists"); +$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The account $account already exists"); $fnret = OVH::Bastion::is_group_existing(group => $account); $fnret->is_err and HEXIT($fnret); -$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account already exists"); +$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account already exists"); if ($type eq 'realm') { $account = "realm_$account"; @@ -100,11 +100,11 @@ if ($type eq 'realm') { $fnret = OVH::Bastion::is_account_existing(account => $account, accountType => "realm"); $fnret->is_err and HEXIT($fnret); - $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The realm $account already exists"); + $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The realm $account already exists"); $fnret = OVH::Bastion::is_group_existing(group => $account); $fnret->is_err and HEXIT($fnret); - $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account already exists"); + $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account already exists"); } #{'accountCreateDefaultPersonalAccesses'} eq 'ARRAY' && $type eq next unless $ip; my @command = qw{ sudo -n -u allowkeeper -- }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyPersonalAccess'; - push @command, '--target', 'any'; - push @command, '--action', 'add'; + push @command, '--target', 'any'; + push @command, '--action', 'add'; push @command, '--account', $account; - push @command, '--ip', $ip; + push @command, '--ip', $ip; if ($user) { push @command, '--user', ($user eq 'ACCOUNT' ? $account : $user); @@ -348,7 +348,7 @@ my %metadata = ( by => $self, bastion_version => $OVH::Bastion::VERSION, datetime_utc => POSIX::strftime("%a %Y-%m-%d %H:%M:%S UTC", gmtime($creation_time)), - datetime_local => POSIX::strftime("%a %Y-%m-%d %H:%M:%S %Z", localtime($creation_time)), + datetime_local => POSIX::strftime("%a %Y-%m-%d %H:%M:%S %Z", localtime($creation_time)), timestamp => $creation_time, comment => $comment, ); @@ -485,15 +485,15 @@ OVH::Bastion::syslogFormatted( severity => 'info', type => 'account', fields => [ - ['action', 'create'], - ['account', $account], - ['account_uid', $uid], - ['public_key', @vettedKeys ? $vettedKeys[0] : undef], + ['action', 'create'], + ['account', $account], + ['account_uid', $uid], + ['public_key', @vettedKeys ? $vettedKeys[0] : undef], ['always_active', ($alwaysActive ? 'true' : 'false')], ['uid_auto', ($uidAuto ? 'true' : 'false')], ['osh_only', ($oshOnly ? 'true' : 'false')], ['immutable_key', ($immutableKey ? 'true' : 'false')], - ['comment', $comment], + ['comment', $comment], ] ); diff --git a/bin/helper/osh-accountGetPasswordInfo b/bin/helper/osh-accountGetPasswordInfo index f516a11c0..cf000a08f 100755 --- a/bin/helper/osh-accountGetPasswordInfo +++ b/bin/helper/osh-accountGetPasswordInfo @@ -7,7 +7,7 @@ #>HEADER use common::sense; -use Getopt::Long qw(:config no_auto_abbrev no_ignore_case); +use Getopt::Long qw(:config no_auto_abbrev no_ignore_case); use Sys::Hostname (); use File::Basename; diff --git a/bin/helper/osh-groupAddServer b/bin/helper/osh-groupAddServer index c8e0526e1..867fa641e 100755 --- a/bin/helper/osh-groupAddServer +++ b/bin/helper/osh-groupAddServer @@ -23,12 +23,12 @@ my ($group, $user, $ip, $port, $action, $force, $forcePassword, $forceKey, $ttl, eval { local $SIG{__WARN__} = sub { push @optwarns, shift }; $result = GetOptions( - "group=s" => sub { $group //= $_[1] }, # ignore subsequent --group on cmdline (anti-sudoers-override) - "user=s" => sub { $user //= $_[1] }, - "ip=s" => sub { $ip //= $_[1] }, - "port=i" => sub { $port //= $_[1] }, - "action=s" => sub { $action //= $_[1] }, - "force" => sub { $force //= $_[1] }, + "group=s" => sub { $group //= $_[1] }, # ignore subsequent --group on cmdline (anti-sudoers-override) + "user=s" => sub { $user //= $_[1] }, + "ip=s" => sub { $ip //= $_[1] }, + "port=i" => sub { $port //= $_[1] }, + "action=s" => sub { $action //= $_[1] }, + "force" => sub { $force //= $_[1] }, "force-password=s" => sub { $forcePassword //= $_[1] }, "force-key=s" => sub { $forceKey //= $_[1] }, "ttl=i" => sub { $ttl //= $_[1] }, diff --git a/bin/helper/osh-groupCreate b/bin/helper/osh-groupCreate index f2bcdf747..38cf9ef1d 100755 --- a/bin/helper/osh-groupCreate +++ b/bin/helper/osh-groupCreate @@ -114,7 +114,7 @@ foreach my $test ($group, "$group-gatekeeper", "$group-owner") { $fnret = OVH::Bastion::is_account_existing(account => $group); $fnret->is_err and HEXIT($fnret); -$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The account $group already exists"); +$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The account $group already exists"); # \@command); diff --git a/bin/plugin/group-owner/groupGenerateEgressKey b/bin/plugin/group-owner/groupGenerateEgressKey index 3041edcc6..b05e21c25 100755 --- a/bin/plugin/group-owner/groupGenerateEgressKey +++ b/bin/plugin/group-owner/groupGenerateEgressKey @@ -75,8 +75,8 @@ if ($encrypted) { my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupGenerateEgressKey'; push @command, '--group', $group; -push @command, '--algo', $algo; -push @command, '--size', $size; +push @command, '--algo', $algo; +push @command, '--size', $size; push @command, '--encrypted' if $encrypted; $fnret = OVH::Bastion::helper(cmd => \@command, stdin_str => $passphrase); diff --git a/bin/plugin/group-owner/groupModify b/bin/plugin/group-owner/groupModify index b55cb0b57..0a97e82d2 100755 --- a/bin/plugin/group-owner/groupModify +++ b/bin/plugin/group-owner/groupModify @@ -85,9 +85,9 @@ my @command = qw{ sudo -n -u }; push @command, $group; push @command, qw{ -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupModify'; -push @command, '--group', $group; -push @command, '--mfa-required', $mfaRequired if $mfaRequired; -push @command, '--guest-ttl-limit', $ttl if defined $ttl; +push @command, '--group', $group; +push @command, '--mfa-required', $mfaRequired if $mfaRequired; +push @command, '--guest-ttl-limit', $ttl if defined $ttl; push @command, '--idle-lock-timeout', $idleLockTimeout if defined $idleLockTimeout; push @command, '--idle-kill-timeout', $idleKillTimeout if defined $idleKillTimeout; diff --git a/bin/plugin/open/help b/bin/plugin/open/help index f15c74f4d..95c8cdd5b 100755 --- a/bin/plugin/open/help +++ b/bin/plugin/open/help @@ -50,7 +50,7 @@ my @knownPlugins = ( [qw{ accountListIngressKeys accountResetIngressKeys accountMFAResetPassword accountMFAResetTOTP }], 'manage accounts egress credentials (bastion->server)' => [qw{ accountListEgressKeys accountGeneratePassword accountListPasswords }], - 'manage access to restricted commands' => [qw{ accountGrantCommand accountRevokeCommand }], + 'manage access to restricted commands' => [qw{ accountGrantCommand accountRevokeCommand }], 'manage another account accesses to servers' => [qw{ accountListAccesses accountAddPersonalAccess accountDelPersonalAccess whoHasAccessTo }], 'review past sessions' => [qw{ accountListSessions globalListSessions }], @@ -63,7 +63,7 @@ my @knownPlugins = ( ], 'egress passwords commands' => [qw{ groupListPasswords groupGeneratePassword groupDelPassword }], 'gatekeeper commands to manage members' => [qw{ groupAddMember groupDelMember }], - 'gatekeeper commands to manage guests' => + 'gatekeeper commands to manage guests' => [qw{ groupListGuestAccesses groupAddGuestAccess groupDelGuestAccess }], 'aclkeeper commands to manage group servers' => [qw{ groupAddServer groupDelServer }], ], diff --git a/bin/plugin/open/rsync b/bin/plugin/open/rsync index e3deb9898..77ba45c3d 100755 --- a/bin/plugin/open/rsync +++ b/bin/plugin/open/rsync @@ -77,8 +77,8 @@ if (not $ip) { osh_exit 'ERR_HOST_NOT_FOUND', "Sorry, couldn't resolve the host you specified ('$host'), aborting."; } -$port ||= 22; # rsync uses 22 if not specified, so we need to test access to that port and not any port (aka undef) -$user ||= $self; # same for user +$port ||= 22; # rsync uses 22 if not specified, so we need to test access to that port and not any port (aka undef) +$user ||= $self; # same for user $fnret = OVH::Bastion::Plugin::otherProtocol::has_protocol_access( account => $self, diff --git a/bin/plugin/open/scp b/bin/plugin/open/scp index a54c716c1..e78a7d6cc 100755 --- a/bin/plugin/open/scp +++ b/bin/plugin/open/scp @@ -4,7 +4,7 @@ use common::sense; use MIME::Base64; use IO::Compress::Gzip qw{ gzip }; -use Sys::Hostname (); +use Sys::Hostname (); use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; @@ -297,8 +297,8 @@ if ($decoded =~ m{[\`\$\;><\|\&]}) { osh_exit('ERR_SECURITY_VIOLATION', "Invalid characters detected, bailing out"); } -$port ||= 22; # scp uses 22 if not specified, so we need to test access to that port and not any port (aka undef) -$user ||= $self; # same for user +$port ||= 22; # scp uses 22 if not specified, so we need to test access to that port and not any port (aka undef) +$user ||= $self; # same for user $fnret = OVH::Bastion::Plugin::otherProtocol::has_protocol_access( account => $self, diff --git a/bin/plugin/open/selfAddIngressKey b/bin/plugin/open/selfAddIngressKey index 19654c47f..9f7cc913a 100755 --- a/bin/plugin/open/selfAddIngressKey +++ b/bin/plugin/open/selfAddIngressKey @@ -13,8 +13,8 @@ my $remainingOptions = OVH::Bastion::Plugin::begin( argv => \@ARGV, header => "add a new public key to your account", options => { - "pubKey|public-key=s" => \my $pubKey, # 'pubKey' is a deprecated name, keep it to not break scripts or people - "piv" => \my $pivExplicit, + "pubKey|public-key=s" => \my $pubKey, # 'pubKey' is a deprecated name, keep it to not break scripts or people + "piv" => \my $pivExplicit, }, helptext => <<'EOF', Add a new ingress public key to your account diff --git a/bin/plugin/open/selfListEgressKeys b/bin/plugin/open/selfListEgressKeys index 295db1c00..4f2387dec 100755 --- a/bin/plugin/open/selfListEgressKeys +++ b/bin/plugin/open/selfListEgressKeys @@ -2,7 +2,7 @@ # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use Term::ANSIColor qw{ colored }; -use POSIX qw{ strftime }; +use POSIX qw{ strftime }; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; diff --git a/bin/plugin/open/selfListSessions b/bin/plugin/open/selfListSessions index 4b9a73f2a..974095c44 100755 --- a/bin/plugin/open/selfListSessions +++ b/bin/plugin/open/selfListSessions @@ -174,9 +174,9 @@ else { push @result, { id => $r->{uniqid}, - from => {ip => $r->{ipfrom}, host => $r->{hostfrom}, port => $r->{portfrom}}, + from => {ip => $r->{ipfrom}, host => $r->{hostfrom}, port => $r->{portfrom}}, via => {ip => $r->{bastionip}, port => $r->{bastionport}, user => $r->{account}}, - to => {ip => $r->{ipto}, port => $r->{portto}, host => $r->{hostto}}, + to => {ip => $r->{ipto}, port => $r->{portto}, host => $r->{hostto}}, timestamp_started => $r->{timestamp} + $r->{timestampusec} / 1_000_000, timestamp_ended => $r->{timestampend} + $r->{timestampendusec} / 1_000_000, type => $r->{cmdtype}, diff --git a/bin/plugin/open/selfPlaySession b/bin/plugin/open/selfPlaySession index 96a85bfcc..9ba846582 100755 --- a/bin/plugin/open/selfPlaySession +++ b/bin/plugin/open/selfPlaySession @@ -64,7 +64,7 @@ else { $r->{params} = undef if ($r->{cmdtype} ne 'osh'); $r->{returnvalue} = $r->{comment} if $r->{returnvalue} < 0; -osh_info sprintf "%8s: %s\n", "ID", $r->{uniqid}; +osh_info sprintf "%8s: %s\n", "ID", $r->{uniqid}; osh_info sprintf "%8s: %s\n", "Started", POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestamp})); osh_info sprintf "%8s: %s\n", "Ended", $r->{timestampend} ? POSIX::strftime("%Y/%m/%d %H:%M:%S", localtime($r->{timestampend})) : 'n/a'; diff --git a/bin/plugin/open/sftp b/bin/plugin/open/sftp index 16bec9073..54a6a1334 100755 --- a/bin/plugin/open/sftp +++ b/bin/plugin/open/sftp @@ -4,7 +4,7 @@ use common::sense; use MIME::Base64; use IO::Compress::Gzip qw{ gzip }; -use Sys::Hostname (); +use Sys::Hostname (); use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; diff --git a/bin/plugin/restricted/accountAddPersonalAccess b/bin/plugin/restricted/accountAddPersonalAccess index 06abe614f..feb7d190a 100755 --- a/bin/plugin/restricted/accountAddPersonalAccess +++ b/bin/plugin/restricted/accountAddPersonalAccess @@ -184,15 +184,15 @@ osh_info "Can't verify whether $account\'s personal key has been installed to th my @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyPersonalAccess'; -push @command, '--target', 'any'; -push @command, '--action', 'add'; -push @command, '--account', $account; -push @command, '--ip', $ip; -push @command, '--user', $user if $user; -push @command, '--port', $port if $port; -push @command, '--force-key', $forceKey if $forceKey; +push @command, '--target', 'any'; +push @command, '--action', 'add'; +push @command, '--account', $account; +push @command, '--ip', $ip; +push @command, '--user', $user if $user; +push @command, '--port', $port if $port; +push @command, '--force-key', $forceKey if $forceKey; push @command, '--force-password', $forcePassword if $forcePassword; -push @command, '--ttl', $ttl if $ttl; -push @command, '--comment', $comment if $comment; +push @command, '--ttl', $ttl if $ttl; +push @command, '--comment', $comment if $comment; osh_exit OVH::Bastion::helper(cmd => \@command); diff --git a/bin/plugin/restricted/accountCreate b/bin/plugin/restricted/accountCreate index 3a2865f86..e1b74197a 100755 --- a/bin/plugin/restricted/accountCreate +++ b/bin/plugin/restricted/accountCreate @@ -119,9 +119,9 @@ if (!$noKey) { # my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountCreate'; -push @command, "--type", "normal"; +push @command, "--type", "normal"; push @command, "--account", $account; -push @command, "--pubKey", $pubKey if !$noKey; +push @command, "--pubKey", $pubKey if !$noKey; push @command, "--always-active" if $alwaysActive; push @command, "--comment", $comment if $comment; push @command, "--uid", $uid if defined $uid; @@ -129,7 +129,7 @@ push @command, "--osh-only", if $oshOnly; push @command, "--max-inactive-days", $maxInactiveDays if defined $maxInactiveDays; push @command, "--uid-auto" if $uidAuto; push @command, "--immutable-key" if $immutableKey; -push @command, '--ttl', $ttl if $ttl; -push @command, '--force-key-from', $forceKeyFrom if ($forceKeyFrom && $< == 0 && $> == 0); # only to be used under root by the install script +push @command, '--ttl', $ttl if $ttl; +push @command, '--force-key-from', $forceKeyFrom if ($forceKeyFrom && $< == 0 && $> == 0); # only to be used under root by the install script osh_exit OVH::Bastion::helper(cmd => \@command); diff --git a/bin/plugin/restricted/accountDelPersonalAccess b/bin/plugin/restricted/accountDelPersonalAccess index f57438d21..5f08ed780 100755 --- a/bin/plugin/restricted/accountDelPersonalAccess +++ b/bin/plugin/restricted/accountDelPersonalAccess @@ -82,11 +82,11 @@ $account = $fnret->value->{'account'}; my @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyPersonalAccess'; -push @command, '--target', 'any'; -push @command, '--action', 'del'; +push @command, '--target', 'any'; +push @command, '--action', 'del'; push @command, '--account', $account; -push @command, '--ip', $ip; -push @command, '--user', $user if $user; -push @command, '--port', $port if $port; +push @command, '--ip', $ip; +push @command, '--user', $user if $user; +push @command, '--port', $port if $port; osh_exit OVH::Bastion::helper(cmd => \@command); diff --git a/bin/plugin/restricted/accountGrantCommand b/bin/plugin/restricted/accountGrantCommand index 93fb30431..be5d2f421 100755 --- a/bin/plugin/restricted/accountGrantCommand +++ b/bin/plugin/restricted/accountGrantCommand @@ -56,7 +56,7 @@ $account = $fnret->value->{'account'}; my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyCommand'; -push @command, '--action', 'grant'; +push @command, '--action', 'grant'; push @command, '--command', $command; push @command, '--account', $account; diff --git a/bin/plugin/restricted/accountInfo b/bin/plugin/restricted/accountInfo index b94ea53e3..2f0e11052 100755 --- a/bin/plugin/restricted/accountInfo +++ b/bin/plugin/restricted/accountInfo @@ -33,12 +33,12 @@ OVH::Bastion::Plugin::begin( options => { 'account=s' => \my $account, "all" => \my $all, - "list-groups|with-groups" => sub { $withGroups = 1 }, - "without-groups" => sub { $withGroups = 0 }, + "list-groups|with-groups" => sub { $withGroups = 1 }, + "without-groups" => sub { $withGroups = 0 }, 'with-mfa-password-info' => sub { $withPasswordInfo = 1 }, 'without-mfa-password-info' => sub { $withPasswordInfo = 0 }, - 'with-egress-keys' => sub { $withEgressKeys = 1 }, - 'without-egress-keys' => sub { $withEgressKeys = 0 }, + 'with-egress-keys' => sub { $withEgressKeys = 1 }, + 'without-egress-keys' => sub { $withEgressKeys = 0 }, 'with-everything' => sub { toggle_all(1) }, 'without-everything' => sub { toggle_all(0) }, }, @@ -143,11 +143,11 @@ foreach my $accHash (@accounts) { if ($withGroups) { foreach my $name (@groups) { my @flags; - push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name, account => $account); + push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name, account => $account); push @flags, 'gatekeeper' if OVH::Bastion::is_group_gatekeeper(group => $name, account => $account); - push @flags, 'aclkeeper' if OVH::Bastion::is_group_aclkeeper(group => $name, account => $account); - push @flags, 'member' if OVH::Bastion::is_group_member(group => $name, account => $account); - push @flags, 'guest' if OVH::Bastion::is_group_guest(group => $name, account => $account); + push @flags, 'aclkeeper' if OVH::Bastion::is_group_aclkeeper(group => $name, account => $account); + push @flags, 'member' if OVH::Bastion::is_group_member(group => $name, account => $account); + push @flags, 'guest' if OVH::Bastion::is_group_guest(group => $name, account => $account); $groups_hash->{$name} = {flags => \@flags, name => $name} if @flags; } } diff --git a/bin/plugin/restricted/accountList b/bin/plugin/restricted/accountList index 79050359c..86f8e33d7 100755 --- a/bin/plugin/restricted/accountList +++ b/bin/plugin/restricted/accountList @@ -165,9 +165,9 @@ foreach my $account (sort keys %$accounts) { } $states{'can_connect'} = 1; - $states{'can_connect'} = 0 if (!defined $states{'is_active'} || $states{'is_active'} == 0); - $states{'can_connect'} = 0 if (!defined $states{'is_frozen'} || $states{'is_frozen'} == 0); - $states{'can_connect'} = 0 if (!defined $states{'is_expired'} || $states{'is_expired'} == 0); + $states{'can_connect'} = 0 if (!defined $states{'is_active'} || $states{'is_active'} == 0); + $states{'can_connect'} = 0 if (!defined $states{'is_frozen'} || $states{'is_frozen'} == 0); + $states{'can_connect'} = 0 if (!defined $states{'is_expired'} || $states{'is_expired'} == 0); $states{'can_connect'} = 0 if (!defined $states{'is_ttl_expired'} || $states{'is_ttl_expired'} == 0); $states{'mfa_password_required'} = OVH::Bastion::is_user_in_group( diff --git a/bin/plugin/restricted/accountListEgressKeys b/bin/plugin/restricted/accountListEgressKeys index e38f89901..0fe55b4cd 100755 --- a/bin/plugin/restricted/accountListEgressKeys +++ b/bin/plugin/restricted/accountListEgressKeys @@ -2,7 +2,7 @@ # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use Term::ANSIColor qw{ colored }; -use POSIX qw{ strftime }; +use POSIX qw{ strftime }; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; diff --git a/bin/plugin/restricted/accountListIngressKeys b/bin/plugin/restricted/accountListIngressKeys index b61cf3883..14d9d5e2d 100755 --- a/bin/plugin/restricted/accountListIngressKeys +++ b/bin/plugin/restricted/accountListIngressKeys @@ -2,7 +2,7 @@ # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use Term::ANSIColor qw{ colored }; -use POSIX qw{ strftime }; +use POSIX qw{ strftime }; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; diff --git a/bin/plugin/restricted/accountPIV b/bin/plugin/restricted/accountPIV index 9c439f56f..e8d2313b3 100755 --- a/bin/plugin/restricted/accountPIV +++ b/bin/plugin/restricted/accountPIV @@ -83,10 +83,10 @@ osh_info "Changing account configuration..."; @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountPIV'; -push @command, '--step', '1'; +push @command, '--step', '1'; push @command, '--account', $account; -push @command, '--policy', $policy; -push @command, '--ttl', $ttl if defined $ttl; +push @command, '--policy', $policy; +push @command, '--ttl', $ttl if defined $ttl; $fnret = OVH::Bastion::helper(cmd => \@command); $fnret or osh_exit $fnret; @@ -98,10 +98,10 @@ osh_info "Applying change to keys..."; push @command, $account; push @command, qw{ -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountPIV'; -push @command, '--step', '2'; +push @command, '--step', '2'; push @command, '--account', $account; -push @command, '--policy', $policy; -push @command, '--ttl', $ttl if defined $ttl; +push @command, '--policy', $policy; +push @command, '--ttl', $ttl if defined $ttl; $fnret = OVH::Bastion::helper(cmd => \@command); osh_exit $fnret; diff --git a/bin/plugin/restricted/accountRevokeCommand b/bin/plugin/restricted/accountRevokeCommand index dda95d70a..e0d9af51e 100755 --- a/bin/plugin/restricted/accountRevokeCommand +++ b/bin/plugin/restricted/accountRevokeCommand @@ -49,7 +49,7 @@ $account = $fnret->value->{'account'}; my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyCommand'; -push @command, '--action', 'revoke'; +push @command, '--action', 'revoke'; push @command, '--command', $command; push @command, '--account', $account; diff --git a/bin/plugin/restricted/accountUnexpire b/bin/plugin/restricted/accountUnexpire index 4d9b1622e..87f43f219 100755 --- a/bin/plugin/restricted/accountUnexpire +++ b/bin/plugin/restricted/accountUnexpire @@ -2,7 +2,7 @@ # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use Term::ANSIColor qw{ colored }; -use POSIX qw{ strftime }; +use POSIX qw{ strftime }; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; diff --git a/bin/plugin/restricted/accountUnlock b/bin/plugin/restricted/accountUnlock index 0c72bf3b0..5157839ea 100755 --- a/bin/plugin/restricted/accountUnlock +++ b/bin/plugin/restricted/accountUnlock @@ -2,7 +2,7 @@ # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use Term::ANSIColor qw{ colored }; -use POSIX qw{ strftime }; +use POSIX qw{ strftime }; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; use OVH::Result; diff --git a/bin/plugin/restricted/groupCreate b/bin/plugin/restricted/groupCreate index 8e66561ac..f84a288d2 100755 --- a/bin/plugin/restricted/groupCreate +++ b/bin/plugin/restricted/groupCreate @@ -103,8 +103,8 @@ if ($algo) { my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupCreate'; push @command, "--group", $group, "--owner", $owner; -push @command, "--algo", $algo if $algo; -push @command, "--size", $size if $size; +push @command, "--algo", $algo if $algo; +push @command, "--size", $size if $size; push @command, "--encrypted" if $encrypted; push @command, "--no-key" if $no_key; diff --git a/bin/plugin/restricted/realmCreate b/bin/plugin/restricted/realmCreate index b0ca611d8..45ec2d743 100755 --- a/bin/plugin/restricted/realmCreate +++ b/bin/plugin/restricted/realmCreate @@ -78,7 +78,7 @@ $fnret or osh_exit $fnret; # my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountCreate'; -push @command, "--type", "realm", "--account", $realm, "--pubKey", $pubKey, "--always-active", "--uid-auto"; +push @command, "--type", "realm", "--account", $realm, "--pubKey", $pubKey, "--always-active", "--uid-auto"; push @command, "--from", $from if $from; push @command, "--comment", $comment if $comment; diff --git a/bin/plugin/restricted/rootListIngressKeys b/bin/plugin/restricted/rootListIngressKeys index d2f63f1f3..5c16a29c0 100755 --- a/bin/plugin/restricted/rootListIngressKeys +++ b/bin/plugin/restricted/rootListIngressKeys @@ -2,7 +2,7 @@ # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use Term::ANSIColor qw{ colored }; -use POSIX qw{ strftime }; +use POSIX qw{ strftime }; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; diff --git a/bin/plugin/restricted/selfAddPersonalAccess b/bin/plugin/restricted/selfAddPersonalAccess index a91ea7c06..e8f5dd45d 100755 --- a/bin/plugin/restricted/selfAddPersonalAccess +++ b/bin/plugin/restricted/selfAddPersonalAccess @@ -190,15 +190,15 @@ else { my @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyPersonalAccess'; -push @command, '--target', 'self'; -push @command, '--action', 'add'; -push @command, '--account', $self; -push @command, '--ip', $ip; -push @command, '--user', $user if $user; -push @command, '--port', $port if $port; -push @command, '--force-key', $forceKey if $forceKey; +push @command, '--target', 'self'; +push @command, '--action', 'add'; +push @command, '--account', $self; +push @command, '--ip', $ip; +push @command, '--user', $user if $user; +push @command, '--port', $port if $port; +push @command, '--force-key', $forceKey if $forceKey; push @command, '--force-password', $forcePassword if $forcePassword; -push @command, '--ttl', $ttl if $ttl; -push @command, '--comment', $comment if $comment; +push @command, '--ttl', $ttl if $ttl; +push @command, '--comment', $comment if $comment; osh_exit OVH::Bastion::helper(cmd => \@command); diff --git a/bin/plugin/restricted/selfDelPersonalAccess b/bin/plugin/restricted/selfDelPersonalAccess index 2da715750..803c10d83 100755 --- a/bin/plugin/restricted/selfDelPersonalAccess +++ b/bin/plugin/restricted/selfDelPersonalAccess @@ -71,11 +71,11 @@ $port = $fnret->value->{'port'}; my @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyPersonalAccess'; -push @command, '--target', 'self'; -push @command, '--action', 'del'; +push @command, '--target', 'self'; +push @command, '--action', 'del'; push @command, '--account', $self; -push @command, '--ip', $ip; -push @command, '--user', $user if $user; -push @command, '--port', $port if $port; +push @command, '--ip', $ip; +push @command, '--user', $user if $user; +push @command, '--port', $port if $port; osh_exit OVH::Bastion::helper(cmd => \@command); diff --git a/bin/plugin/restricted/whoHasAccessTo b/bin/plugin/restricted/whoHasAccessTo index 766066471..5a9643522 100755 --- a/bin/plugin/restricted/whoHasAccessTo +++ b/bin/plugin/restricted/whoHasAccessTo @@ -73,8 +73,8 @@ sub process_account { ipfrom => $ENV{'OSH_IP_FROM'}, port => $port, cache => 1, - ignorePort => ($port ? 0 : 1), # return accesses without checking for the specified port - ignoreUser => ($user ? 0 : 1), # return accesses without checking for the specified remote user + ignorePort => ($port ? 0 : 1), # return accesses without checking for the specified port + ignoreUser => ($user ? 0 : 1), # return accesses without checking for the specified remote user ); if ($fnret) { my $byPersonal = 0; diff --git a/bin/proxy/osh-http-proxy-daemon b/bin/proxy/osh-http-proxy-daemon index df71b6bd4..88dae9b56 100755 --- a/bin/proxy/osh-http-proxy-daemon +++ b/bin/proxy/osh-http-proxy-daemon @@ -69,14 +69,14 @@ $config->{'log_request_response'} //= 1; OVH::Bastion::ProxyHTTP->new()->run( %options, - port => $config->{'port'} . '/ssl', - SSL_key_file => $config->{'ssl_key'}, - SSL_cert_file => $config->{'ssl_certificate'}, - ipv => 4, - server_type => 'PreFork', - max_requests => 1, # DO NOT TOUCH, anything else that this seems to mix requests/answers (!?) - min_servers => $config->{'min_servers'}, - max_servers => $config->{'max_servers'}, + port => $config->{'port'} . '/ssl', + SSL_key_file => $config->{'ssl_key'}, + SSL_cert_file => $config->{'ssl_certificate'}, + ipv => 4, + server_type => 'PreFork', + max_requests => 1, # DO NOT TOUCH, anything else that this seems to mix requests/answers (!?) + min_servers => $config->{'min_servers'}, + max_servers => $config->{'max_servers'}, min_spare_servers => $config->{'min_spare_servers'}, max_spare_servers => $config->{'max_spare_servers'}, access_log_file => "/home/proxyhttp/access.log", @@ -88,8 +88,8 @@ OVH::Bastion::ProxyHTTP->new()->run( # which is also the max allowed value of the 'timeout' config param (see above). timeout_idle => 3600, proxy_config => { - insecure => $config->{'insecure'} ? 1 : 0, - timeout => $config->{'timeout'}, # our worker will wait for up to this amount of time for the egress connection to complete + insecure => $config->{'insecure'} ? 1 : 0, + timeout => $config->{'timeout'}, # our worker will wait for up to this amount of time for the egress connection to complete log_request_response => $config->{'log_request_response'} ? 1 : 0, log_request_response_max_size => $config->{'log_request_response_max_size'}, allowed_egress_protocols => $config->{'allowed_egress_protocols'} || ['https'], diff --git a/bin/proxy/osh-http-proxy-worker b/bin/proxy/osh-http-proxy-worker index fb10787cc..f551ab75d 100755 --- a/bin/proxy/osh-http-proxy-worker +++ b/bin/proxy/osh-http-proxy-worker @@ -18,7 +18,7 @@ use IO::Socket::SSL; use IO::Socket::SSL; use LWP::UserAgent; use MIME::Base64; -use POSIX (); +use POSIX (); use Storable qw{ freeze thaw }; use Sys::Hostname; use Time::HiRes (); @@ -547,11 +547,11 @@ if ($res) { push @headers, [$key => $res->header($key)]; } } -push @headers, ["X-Bastion-Local-Status" => ($res ? "200 OK" : "504 Device Timeout")]; +push @headers, ["X-Bastion-Local-Status" => ($res ? "200 OK" : "504 Device Timeout")]; push @headers, ["X-Bastion-Remote-Status" => $res->code] if $res; push @headers, ["X-Bastion-Remote-Server" => $res->header('server')] if ($res && $res->header('server')); push @headers, ["X-Bastion-Egress-Timing" => sprintf("%d", $delay * 1_000_000)]; -push @headers, ["X-Bastion-Downgraded" => 1] if $downgraded; +push @headers, ["X-Bastion-Downgraded" => 1] if $downgraded; # custom data will only be logged to logfile and syslog, not sql (it's not in the generic schema) if ($res) { diff --git a/bin/shell/connect.pl b/bin/shell/connect.pl index 5e1efffae..67ec563b7 100755 --- a/bin/shell/connect.pl +++ b/bin/shell/connect.pl @@ -114,7 +114,7 @@ sub exit_sig { } } else { - ; # grsec can deny us this. if that's the case, nevermind ... bypass this check + ; # grsec can deny us this. if that's the case, nevermind ... bypass this check } # in any case, force this diff --git a/bin/shell/osh.pl b/bin/shell/osh.pl index 8f2a9089f..db50a8ced 100755 --- a/bin/shell/osh.pl +++ b/bin/shell/osh.pl @@ -141,10 +141,10 @@ sub main_exit { # First Check : is USER valid ? # my $activenessDenyOnFailure = OVH::Bastion::config("accountExternalValidationDenyOnFailure")->value; -my $msg_to_print_delayed; # if set, will be osh_warn()'ed if we're connecting through ssh (i.e. not scp/sftp, it breaks it) +my $msg_to_print_delayed; # if set, will be osh_warn()'ed if we're connecting through ssh (i.e. not scp/sftp, it breaks it) $fnret = OVH::Bastion::is_account_active(account => $self); if ($fnret) { - ; # OK + ; # OK } elsif ($fnret->is_ko || ($activenessDenyOnFailure && $fnret->is_err)) { main_exit OVH::Bastion::EXIT_ACCOUNT_INACTIVE, "account_inactive", "Sorry $self, your account is inactive."; @@ -349,35 +349,35 @@ sub main_exit { my $remainingOptions; ($result, $remainingOptions) = GetOptionsFromString( $beforeOptions // "", - "port|p=i" => \my $optPort, - "verbose+" => \my $verbose, - "tty|t" => \my $tty, - "no-tty|T" => \my $notty, - "user|u=s" => \my $user, - "osh=s" => \my $osh_command, - "telnet|e" => \my $telnet, - "password=s" => \my $passwordFile, - "self-password|P" => \my $selfPassword, - "host|h=s" => \my $host, - "help" => \my $help, - "long-help" => \my $longHelp, - "quiet|q" => \my $quiet, - "timeout=i" => \my $timeout, - "bind=s" => \my $bind, - "debug" => \my $debug, - "json" => \my $json, - "json-greppable" => \my $json_greppable, - "json-pretty" => \my $json_pretty, - "always-escape" => \my $_dummy1, # not used as corresponding option has already been ninja-used above - "never-escape" => \my $_dummy2, # not used as corresponding option has already been ninja-used above - "interactive|i" => \my $interactive, - "netconf" => \my $netconf, - "wait" => \my $wait, - "forward-agent|x" => \my $sshAddKeysToAgent, - "ssh-as=s" => \my $sshAs, - "use-key=s" => \my $useKey, - "kbd-interactive" => \my $userKbdInteractive, - "proactive-mfa" => \my $proactiveMfa, + "port|p=i" => \my $optPort, + "verbose+" => \my $verbose, + "tty|t" => \my $tty, + "no-tty|T" => \my $notty, + "user|u=s" => \my $user, + "osh=s" => \my $osh_command, + "telnet|e" => \my $telnet, + "password=s" => \my $passwordFile, + "self-password|P" => \my $selfPassword, + "host|h=s" => \my $host, + "help" => \my $help, + "long-help" => \my $longHelp, + "quiet|q" => \my $quiet, + "timeout=i" => \my $timeout, + "bind=s" => \my $bind, + "debug" => \my $debug, + "json" => \my $json, + "json-greppable" => \my $json_greppable, + "json-pretty" => \my $json_pretty, + "always-escape" => \my $_dummy1, # not used as corresponding option has already been ninja-used above + "never-escape" => \my $_dummy2, # not used as corresponding option has already been ninja-used above + "interactive|i" => \my $interactive, + "netconf" => \my $netconf, + "wait" => \my $wait, + "forward-agent|x" => \my $sshAddKeysToAgent, + "ssh-as=s" => \my $sshAs, + "use-key=s" => \my $useKey, + "kbd-interactive" => \my $userKbdInteractive, + "proactive-mfa" => \my $proactiveMfa, "fallback-password-delay=i" => \my $fallbackPasswordDelay, "generate-mfa-token" => \my $generateMfaToken, "mfa-token=s" => \my $mfaToken, @@ -718,7 +718,7 @@ sub main_exit { main_exit OVH::Bastion::EXIT_CONFLICTING_OPTIONS, 'kbd_interactive_denied', "Sorry $self, the keyboard-interactive egress authentication scheme has been disabled by policy"; } -$ENV{'OSH_KBD_INTERACTIVE'} = 1 if $userKbdInteractive; # useful for plugins that need to call ssh by themselves (for example to test a connection, i.e. groupAddServer) +$ENV{'OSH_KBD_INTERACTIVE'} = 1 if $userKbdInteractive; # useful for plugins that need to call ssh by themselves (for example to test a connection, i.e. groupAddServer) # MFA enforcing for ingress connection, either on global bastion config, or on specific account config my $mfaPolicy = OVH::Bastion::config('accountMFAPolicy')->value; @@ -886,7 +886,7 @@ sub main_exit { ['account' => $self], ['sudo-as', $sshAs], ['plugin', 'ssh'], - ['params', join(" ", @forwardOptions)] + ['params', join(" ", @forwardOptions)] ] ); @@ -1023,7 +1023,8 @@ sub main_exit { } if (!grep { $MFArequiredForPlugin eq $_ } qw{ password totp any none }) { - main_exit(OVH::Bastion::EXIT_MFA_FAILED, + main_exit( + OVH::Bastion::EXIT_MFA_FAILED, 'mfa_plugin_configuration_failed', "MFA configuration is incorrect for this plugin, report to your sysadmin!" ); @@ -1157,7 +1158,7 @@ sub main_exit { my $displayLine = sprintf("%s => %s => %s", OVH::Bastion::machine_display(ip => $hostfrom, port => $portfrom)->value, OVH::Bastion::machine_display(ip => $bastionhost, port => $bastionport, user => $self)->value, - OVH::Bastion::machine_display(ip => $hostto, port => $port, user => $user)->value, + OVH::Bastion::machine_display(ip => $hostto, port => $port, user => $user)->value, ); if (!$quiet) { @@ -1526,7 +1527,7 @@ sub main_exit { $bastion_details{'piv'}{'enforced'} //= \0; $bastion_details{'from'} = {addr => $ipfrom, host => $hostfrom, port => $portfrom + 0}; $bastion_details{'via'} = {addr => $bastionip, host => $bastionhost, port => $bastionport + 0, name => $bastionName}; -$bastion_details{'to'} = {addr => $ip, host => $hostto, port => $port + 0, user => $user}; +$bastion_details{'to'} = {addr => $ip, host => $hostto, port => $port + 0, user => $user}; $bastion_details{'account'} = $self; $bastion_details{'uniqid'} = $log_uniq_id; $bastion_details{'version'} = $OVH::Bastion::VERSION; @@ -1643,7 +1644,7 @@ sub main_exit { push @toExecute, $OVH::Bastion::BASEPATH . '/bin/shell/connect.pl'; exec( - @toExecute, $ip, $port, $config->{'sshClientHasOptionE'}, + @toExecute, $ip, $port, $config->{'sshClientHasOptionE'}, $userPasswordClue, $saveFile, $logret->value->{'insert_id'}, $logret->value->{'db_name'}, @@ -1720,7 +1721,7 @@ sub get_details_from_access_array { } osh_printf( " - %s with %s-%s key %s %s%s", - $type, $keyinfo->{'family'}, $keyinfo->{'size'}, $keyinfo->{'fingerprint'}, + $type, $keyinfo->{'family'}, $keyinfo->{'size'}, $keyinfo->{'fingerprint'}, $generated, $forced ) unless $quiet; push @keysToTry, $keyinfo->{'fullpath'} if not(grep { $_ eq $keyinfo->{'fullpath'} } @keysToTry); diff --git a/bin/sudogen/generate-sudoers.sh b/bin/sudogen/generate-sudoers.sh index b7c1abba3..d98073fc5 100755 --- a/bin/sudogen/generate-sudoers.sh +++ b/bin/sudogen/generate-sudoers.sh @@ -205,5 +205,3 @@ else echo "Invalid type specified" >&2 die_usage fi - -die_usage diff --git a/contrib/nrpe/probes/bastion-root-connected-too-long b/contrib/nrpe/probes/bastion-root-connected-too-long index dc846e643..3a10a55af 100755 --- a/contrib/nrpe/probes/bastion-root-connected-too-long +++ b/contrib/nrpe/probes/bastion-root-connected-too-long @@ -116,7 +116,7 @@ PID: foreach my $pid (@pidlist) { next; } while (<$fh>) { - next if (not /^[UG]id:/); # parse Uid / Gid numbers + next if (not /^[UG]id:/); # parse Uid / Gid numbers my ($id1, $id2, undef, $id4) = /(\d+)/g; next PID if (not grep { $_ == 0 } ($id1, $id2, $id4)); # Root detected _dbg("process $pid running as root, analyzing tty"); diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index c693c298b..56b511a64 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,3 +1,8 @@ +## v3.19.01 - 2025/03/04 +- feat: httpproxy: optional support for plain http on egress +- fix: selfPlaySession: warn in syslog properly +- chore: github actions: replace ubuntu 20.04 by 24.04 (EOL) + ## v3.19.00 - 2025/02/25 - feat: add agent forwarding support on egress side - feat: add undocumented rename-account.sh and modify osh-orphaned-homedir.sh accordingly diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst index 0cc16a1cd..402cdf3ec 100644 --- a/doc/sphinx/installation/upgrading.rst +++ b/doc/sphinx/installation/upgrading.rst @@ -27,6 +27,11 @@ See the ``--help`` for a more fine-grained upgrade path if needed. Version-specific upgrade instructions ===================================== +v3.19.01 - 2025/03/04 +********************* + +No specific upgrade instructions. + v3.19.00 - 2025/02/25 ********************* diff --git a/docker/devenv/Dockerfile b/docker/devenv/Dockerfile index 32334b7a8..4663490a8 100644 --- a/docker/devenv/Dockerfile +++ b/docker/devenv/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 +FROM ubuntu:24.04 LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" # temporarily copy code, just to be able to install packages diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index 8a9e38bff..f0d3ec291 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -5,7 +5,7 @@ use common::sense; use Fcntl; use POSIX qw(strftime); -our $VERSION = '3.19.00'; +our $VERSION = '3.19.01'; BEGIN { # only used by the handler below @@ -49,8 +49,8 @@ BEGIN { use JSON; use Term::ANSIColor; -use File::Basename; # dirname -use Cwd; # need to use realpath because we use that to build sudoers for groups +use File::Basename; # dirname +use Cwd; # need to use realpath because we use that to build sudoers for groups our $BASEPATH = Cwd::realpath(dirname(__FILE__) . '/../../../'); # usually /opt/bastion # untaint $BASEPATH manually because realpath() tainted it back @@ -439,7 +439,7 @@ sub json_output { ## no critic (ArgUnpacking) my %params = @_; my $force_default = $params{'force_default'}; my $no_delimiters = $params{'no_delimiters'}; - my $command = $params{'command'} || $ENV{'PLUGIN_NAME'}; + my $command = $params{'command'} || $ENV{'PLUGIN_NAME'}; my $filehandle = $params{'filehandle'} || *STDOUT; my $JsonObject = JSON->new->utf8; @@ -768,7 +768,7 @@ sub machine_display { my $user = $params{'user'}; my $machine = (index($ip, ':') >= 0 ? "[$ip]" : $ip); - $machine .= ":$port" if $port; + $machine .= ":$port" if $port; $machine = $user . '@' . $machine if $user; return R('OK', value => $machine); @@ -879,7 +879,7 @@ sub can_account_execute_plugin { my %params = @_; my $account = $params{'account'} || OVH::Bastion::get_user_from_env()->value; my $plugin = $params{'plugin'}; - my $cache = $params{'cache'}; # allow cache use in get_user_groups(), is_user_in_group() etc. + my $cache = $params{'cache'}; # allow cache use in get_user_groups(), is_user_in_group() etc. my $fnret; if (not $plugin or not $account) { @@ -1064,7 +1064,7 @@ sub get_user_from_env { sub get_home_from_env { my ($sanitized) = (getpwuid($>))[7] =~ m{^([a-zA-Z0-9_/.-]+)$}; - $sanitized =~ s/\.+/./g; # disallow 2 or more consecutive dots, i.e. "john.doe" is ok, "john/../../../etc/passwd" is not + $sanitized =~ s/\.+/./g; # disallow 2 or more consecutive dots, i.e. "john.doe" is ok, "john/../../../etc/passwd" is not return R('OK', value => $sanitized); } @@ -1146,10 +1146,10 @@ sub build_ttyrec_cmdline_part1of2 { my $bastionName = OVH::Bastion::config('bastionName')->value; my $ttyrecFilenameFormat = OVH::Bastion::config('ttyrecFilenameFormat')->value; $ttyrecFilenameFormat =~ s/&bastionname/$bastionName/g; - $ttyrecFilenameFormat =~ s/&uniqid/$params{'uniqid'}/g if $params{'uniqid'}; - $ttyrecFilenameFormat =~ s/&ip/$params{'ip'}/g if $params{'ip'}; - $ttyrecFilenameFormat =~ s/&port/$params{'port'}/g if defined $params{'port'}; - $ttyrecFilenameFormat =~ s/&user/$params{'user'}/g if defined $params{'user'}; + $ttyrecFilenameFormat =~ s/&uniqid/$params{'uniqid'}/g if $params{'uniqid'}; + $ttyrecFilenameFormat =~ s/&ip/$params{'ip'}/g if $params{'ip'}; + $ttyrecFilenameFormat =~ s/&port/$params{'port'}/g if defined $params{'port'}; + $ttyrecFilenameFormat =~ s/&user/$params{'user'}/g if defined $params{'user'}; $ttyrecFilenameFormat =~ s/&account/$params{'account'}/g if $params{'account'}; if ($ttyrecFilenameFormat =~ /&(bastionname|uniqid|ip|port|user|account)/) { diff --git a/lib/perl/OVH/Bastion/Helper.pm b/lib/perl/OVH/Bastion/Helper.pm index 0c214bdca..783abb8d6 100644 --- a/lib/perl/OVH/Bastion/Helper.pm +++ b/lib/perl/OVH/Bastion/Helper.pm @@ -3,7 +3,7 @@ package OVH::Bastion::Helper; # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; -use Fcntl qw{ :flock :mode }; +use Fcntl qw{ :flock :mode }; use Time::HiRes qw{ usleep }; use File::Basename; @@ -13,7 +13,7 @@ use OVH::Result; # We handle our importer's '$self' var, this is by design. use Exporter 'import'; -our $self; ## no critic (ProhibitPackageVars) +our $self; ## no critic (ProhibitPackageVars) our @EXPORT = qw( $self HEXIT ); ## no critic (ProhibitAutomaticExportation) # HEXIT aka "helper exit", used by helper scripts found in helpers/ @@ -57,7 +57,7 @@ sub check_spurious_args { $| = 1; # Don't let helpers be interrupted too easily -$SIG{'HUP'} = 'IGNORE'; # continue even when attached terminal is closed (we're called with setsid on supported systems anyway) +$SIG{'HUP'} = 'IGNORE'; # continue even when attached terminal is closed (we're called with setsid on supported systems anyway) $SIG{'PIPE'} = 'IGNORE'; # continue even if osh_info gets a SIGPIPE because there's no longer a terminal # Ensure the PATH is not tainted, and has sane values diff --git a/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm b/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm index ecd2baaa2..a7ac915e0 100644 --- a/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm +++ b/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm @@ -182,8 +182,8 @@ sub act { if (!($type eq 'guest' and $action eq 'del')) { @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupSetRole'; - push @command, '--type', $type; - push @command, '--group', $group; + push @command, '--type', $type; + push @command, '--group', $group; push @command, '--account', $account, '--action', $action; $fnret = OVH::Bastion::helper(cmd => \@command); $fnret or return $fnret; @@ -234,7 +234,7 @@ sub act { # then, for add and del, we need to handle the symlink @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupAddSymlinkToAccount'; - push @command, '--group', $group; # must be first params, forced in sudoers.d + push @command, '--group', $group; # must be first params, forced in sudoers.d push @command, '--account', $account; push @command, '--action', $action; $fnret = OVH::Bastion::helper(cmd => \@command); @@ -287,13 +287,13 @@ sub act { # Add/Del user access to user@host:port with group key @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountAddGroupServer'; - push @command, '--group', $group; # must be first params, forced in sudoers.d + push @command, '--group', $group; # must be first params, forced in sudoers.d push @command, '--account', $account; push @command, '--action', $action; push @command, '--ip', $host; - push @command, '--user', $user if $user; - push @command, '--port', $port if $port; - push @command, '--ttl', $ttl if $ttl; + push @command, '--user', $user if $user; + push @command, '--port', $port if $port; + push @command, '--ttl', $ttl if $ttl; push @command, '--comment', $comment if $comment; $fnret = OVH::Bastion::helper(cmd => \@command); @@ -357,10 +357,10 @@ sub act { # @command = qw{ sudo -n -u root -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupSetRole'; - push @command, '--type', 'guest'; - push @command, '--group', $group; + push @command, '--type', 'guest'; + push @command, '--group', $group; push @command, '--account', $account; - push @command, '--action', 'del'; + push @command, '--action', 'del'; $fnret = OVH::Bastion::helper(cmd => \@command); $fnret or return $fnret; diff --git a/lib/perl/OVH/Bastion/ProxyHTTP.pm b/lib/perl/OVH/Bastion/ProxyHTTP.pm index a888eff39..7bbe6a307 100644 --- a/lib/perl/OVH/Bastion/ProxyHTTP.pm +++ b/lib/perl/OVH/Bastion/ProxyHTTP.pm @@ -10,7 +10,7 @@ use OVH::Bastion; use CGI; use JSON; -use Fcntl qw(:flock); +use Fcntl qw(:flock); use Time::HiRes (); use MIME::Base64; use Net::Server::PreForkSimple; @@ -37,7 +37,7 @@ sub send_status { $out .= "$row->[0]: $row->[1]\r\n"; push @{$request_info->{'response_headers'}}, $row; $content_type_already_sent++ if (lc($row->[0]) eq 'content-type'); - $want_gzip++ if (lc($row->[0]) eq 'content-encoding' && $row->[1] =~ /gzip/); + $want_gzip++ if (lc($row->[0]) eq 'content-encoding' && $row->[1] =~ /gzip/); } $self->{'server'}->{'client'}->print($out); $request_info->{'http_version'} = '1.0'; @@ -84,11 +84,11 @@ sub log_and_exit { # log in sql and/or logfile and/or syslog my $processing_delay = ($starttime ? int(Time::HiRes::tv_interval($starttime) * 1_000_000) : undef); - $params->{'account'} = $account; # might be undef if we're called before the account is extracted from the payload - $params->{'user'} = $user; # ditto - $params->{'hostto'} = $hostto; # ditto - $params->{'portto'} = $portto; # ditto - $params->{'loghome'} = 'proxyhttp'; + $params->{'account'} = $account; # might be undef if we're called before the account is extracted from the payload + $params->{'user'} = $user; # ditto + $params->{'hostto'} = $hostto; # ditto + $params->{'portto'} = $portto; # ditto + $params->{'loghome'} = 'proxyhttp'; $params->{'cmdtype'} = 'proxyhttp_daemon'; $params->{'ipfrom'} = $self->{'request_info'}{'peeraddr'}; $params->{'portfrom'} = $self->{'request_info'}{'peerport'}; @@ -400,8 +400,8 @@ sub process_http_request { {comment => "bad_login_format"} ); } - my ($account, $user_expression, $remotemachine, $remoteport) = ($1, $2, $3, $4); ## no critic (ProhibitCaptureWithoutTest) - undef $loginpart; # no longer needed + my ($account, $user_expression, $remotemachine, $remoteport) = ($1, $2, $3, $4); ## no critic (ProhibitCaptureWithoutTest) + undef $loginpart; # no longer needed $remoteport = 443 if not defined $remoteport; $self->{'_log'}{'hostto'} = $remotemachine; $self->{'_log'}{'portto'} = $remoteport; @@ -461,7 +461,7 @@ sub process_http_request { {comment => "invalid_credentials"} ); } - $account = $fnret->value->{'account'}; # untaint + $account = $fnret->value->{'account'}; # untaint $self->{'_log'}{'account'} = $account; if ($user !~ /^[a-zA-Z0-9._-]+/) { @@ -544,12 +544,14 @@ sub process_http_request { } # here, we know the account is right, so we sudo to this account to proceed - my @cmd = ("sudo", "-n", "-u", $account, "--", "/usr/bin/env", "perl", "-T", - "/opt/bastion/bin/proxy/osh-http-proxy-worker"); + my @cmd = ( + "sudo", "-n", "-u", $account, "--", "/usr/bin/env", "perl", "-T", + "/opt/bastion/bin/proxy/osh-http-proxy-worker" + ); push @cmd, "--account", $account, "--context", $context, "--user", $user, "--host", $remotemachine, "--uniqid", $ENV{'UNIQID'}; push @cmd, "--method", $self->{'request_info'}{'request_method'}, "--path", $self->{'request_info'}{'request_path'}; - push @cmd, "--port", $remoteport; + push @cmd, "--port", $remoteport; push @cmd, "--group", $group if $group; push @cmd, "--timeout", $timeout if $timeout; push @cmd, "--allow-downgrade" if $allow_downgrade; diff --git a/lib/perl/OVH/Bastion/allowdeny.inc b/lib/perl/OVH/Bastion/allowdeny.inc index 4f4397fdc..51060cea2 100644 --- a/lib/perl/OVH/Bastion/allowdeny.inc +++ b/lib/perl/OVH/Bastion/allowdeny.inc @@ -21,9 +21,9 @@ sub get_personal_account_keys { $account = $fnret->value->{'account'}; # untainted version return _get_pub_keys_from_directory( - dir => "/home/$account/.ssh", - pattern => qr/^private\.pub$|^id_[a-z0-9]+[_.]private\.\d+\.pub$/, - listOnly => $listOnly, # don't be slow and don't parse the keys (by calling ssh-keygen -lf) + dir => "/home/$account/.ssh", + pattern => qr/^private\.pub$|^id_[a-z0-9]+[_.]private\.\d+\.pub$/, + listOnly => $listOnly, # don't be slow and don't parse the keys (by calling ssh-keygen -lf) forceKey => $forceKey, wantPrivate => 1, ); @@ -72,21 +72,21 @@ sub get_group_keys { sub is_access_way_granted { my %params = @_; - my $exactIpMatch = $params{'exactIpMatch'}; # $ip must be explicitly allowed (not given through a wider subnet or a 0.0.0.0/0 in grantfile) - my $exactPortMatch = $params{'exactPortMatch'}; # $port must be explicitly allowed (port wildcards in grantfile will be ignored) - my $exactUserMatch = $params{'exactUserMatch'}; # $user must be explicitly allowed (user wildcards in grantfile will be ignored) - my $exactMatch = $params{'exactMatch'}; # sets exactIpMatch exactPortMatch and exactUserMatch + my $exactIpMatch = $params{'exactIpMatch'}; # $ip must be explicitly allowed (not given through a wider subnet or a 0.0.0.0/0 in grantfile) + my $exactPortMatch = $params{'exactPortMatch'}; # $port must be explicitly allowed (port wildcards in grantfile will be ignored) + my $exactUserMatch = $params{'exactUserMatch'}; # $user must be explicitly allowed (user wildcards in grantfile will be ignored) + my $exactMatch = $params{'exactMatch'}; # sets exactIpMatch exactPortMatch and exactUserMatch - my $ignoreUser = $params{'ignoreUser'}; # ignore remote user COMPLETELY (plop@, or root@, or @ will all match) - my $ignorePort = $params{'ignorePort'}; # ignore port COMPLETELY (port 22, 2345, or port-wildcard will all match) + my $ignoreUser = $params{'ignoreUser'}; # ignore remote user COMPLETELY (plop@, or root@, or @ will all match) + my $ignorePort = $params{'ignorePort'}; # ignore port COMPLETELY (port 22, 2345, or port-wildcard will all match) - my $wantedUser = $params{'user'}; # if undef, means we look for a user-any allow - my $wantedIp = $params{'ip'}; # can be a single IP or a subnet - my $wantedPort = $params{'port'}; # if undef, means we look for a port-any allow + my $wantedUser = $params{'user'}; # if undef, means we look for a user-any allow + my $wantedIp = $params{'ip'}; # can be a single IP or a subnet + my $wantedPort = $params{'port'}; # if undef, means we look for a port-any allow - my $way = $params{'way'}; # personal|group|groupguest|legacy - my $group = $params{'group'}; # only meaningful and needed if type=group or type=groupguest - my $account = $params{'account'}; # only meaningful and needed if type=personal or type=groupguest + my $way = $params{'way'}; # personal|group|groupguest|legacy + my $group = $params{'group'}; # only meaningful and needed if type=group or type=groupguest + my $account = $params{'account'}; # only meaningful and needed if type=personal or type=groupguest my $fnret; @@ -147,11 +147,11 @@ sub is_access_way_granted { else { # we don't want an exact match (aka port-any allowed) if (not defined $entry->{'port'}) { - ; # it's a wildcard, will always match + ; # it's a wildcard, will always match } else { if (not defined $wantedPort) { - next; # we want a wildcard, but we don't have it + next; # we want a wildcard, but we don't have it } else { next if ($wantedPort ne $entry->{'port'}); # both defined but unequal, not a match @@ -185,11 +185,11 @@ sub is_access_way_granted { else { # we don't want an exact match (aka user-any allowed) if (not defined $entry->{'user'}) { - ; # it's a wildcard, will always match + ; # it's a wildcard, will always match } else { if (not defined $wantedUser) { - next; # we want a wildcard, but we don't have it + next; # we want a wildcard, but we don't have it } else { # handle the case where $entry->{'user'} contains wildcards such as '?' or '*' @@ -346,7 +346,7 @@ sub get_ip { my $as_text; undef $err; eval { - ($err, $as_text) = getnameinfo($item->{'addr'}, NI_NUMERICHOST); # NI flag: don't use dns, just unpack the binary 'addr' + ($err, $as_text) = getnameinfo($item->{'addr'}, NI_NUMERICHOST); # NI flag: don't use dns, just unpack the binary 'addr' }; if (not $@ and not $err) { $iplist{$as_text} = 1; @@ -447,10 +447,10 @@ sub _get_pub_keys_from_directory { my %params = @_; my $dir = $params{'dir'}; my $pattern = $params{'pattern'}; - my $listOnly = $params{'listOnly'}; # don't open the files, just return file names - my $noexec = $params{'noexec'}; # passed to is_valid_public_key + my $listOnly = $params{'listOnly'}; # don't open the files, just return file names + my $noexec = $params{'noexec'}; # passed to is_valid_public_key my $forceKey = $params{'forceKey'}; - my $wantPrivate = $params{'wantPrivate'}; # if set, will return the fullpath of the private key, not the public one + my $wantPrivate = $params{'wantPrivate'}; # if set, will return the fullpath of the private key, not the public one my $fnret; osh_debug("looking for pub keys in dir $dir as user $ENV{'USER'}"); @@ -539,8 +539,8 @@ sub duration2human { my $tense = $params{'tense'}; require POSIX; - my $date_local = POSIX::strftime("%a %Y-%m-%d %H:%M:%S %Z", localtime(time() + ($tense eq 'past' ? -$s : $s))); - my $date_utc = POSIX::strftime("%a %Y-%m-%d %H:%M:%S UTC", gmtime(time() + ($tense eq 'past' ? -$s : $s))); + my $date_local = POSIX::strftime("%a %Y-%m-%d %H:%M:%S %Z", localtime(time() + ($tense eq 'past' ? -$s : $s))); + my $date_utc = POSIX::strftime("%a %Y-%m-%d %H:%M:%S UTC", gmtime(time() + ($tense eq 'past' ? -$s : $s))); my $d = int($s / 86400); $s -= $d * 86400; @@ -626,7 +626,7 @@ sub print_acls { my $matched = 0; foreach (@row) { $matched++ if ($_ =~ $includere); - last if $matched; + last if $matched; } next ENTRY if !$matched; } @@ -729,10 +729,10 @@ sub is_access_granted { my $listOnly = $params{'listOnly'}; # don't open the files, just return file names my $noexec = $params{'noexec'}; # passed to is_valid_public_key - my $details = delete $params{'details'}; # if set, look for and return ssh keys + config data along with allowed accesses + my $details = delete $params{'details'}; # if set, look for and return ssh keys + config data along with allowed accesses - delete $params{'way'}; # WE specify this parameter, not our caller - delete $params{'group'}; # WE specify this parameter, not our caller + delete $params{'way'}; # WE specify this parameter, not our caller + delete $params{'group'}; # WE specify this parameter, not our caller my @grants; my $fnret; @@ -920,7 +920,7 @@ sub is_access_granted { if ($data{'keys'}) { $access->{'keys'} = $data{'keys'}->value->{'keys'}; $access->{'sortedKeys'} = $data{'keys'}->value->{'sortedKeys'}; - $access->{'mfaRequired'} = $data{'mfa'}->value if $data{'mfa'}; + $access->{'mfaRequired'} = $data{'mfa'}->value if $data{'mfa'}; $access->{'idleLockTimeout'} = $data{'idle_lock_timeout'}->value if $data{'idle_lock_timeout'}; $access->{'idleKillTimeout'} = $data{'idle_kill_timeout'}->value if $data{'idle_kill_timeout'}; } @@ -960,9 +960,9 @@ sub ssh_test_access_way { $port = $fnret->value; } - $user = OVH::Bastion::config("defaultLogin")->value if not $user; - $user = $account if not $user; # defaultLogin empty means the user himself - $user = OVH::Bastion::get_user_from_env()->value if not $user; # no user or account ? get from env then + $user = OVH::Bastion::config("defaultLogin")->value if not $user; + $user = $account if not $user; # defaultLogin empty means the user himself + $user = OVH::Bastion::get_user_from_env()->value if not $user; # no user or account ? get from env then $fnret = OVH::Bastion::is_valid_remote_user(user => $user, allowWildcards => 1); $fnret or return $fnret; $user = $fnret->value; diff --git a/lib/perl/OVH/Bastion/allowkeeper.inc b/lib/perl/OVH/Bastion/allowkeeper.inc index a4c52ac67..3a9446ed4 100644 --- a/lib/perl/OVH/Bastion/allowkeeper.inc +++ b/lib/perl/OVH/Bastion/allowkeeper.inc @@ -137,7 +137,8 @@ sub get_next_available_uid { # if $available_gid, also check if the corresponding GID is available # if $available_gid_ttyrec, also check if the corresponding GID + the ttyrec offset is available - if ( (!$available_gid || !scalar(getgrgid($next))) + if ( + (!$available_gid || !scalar(getgrgid($next))) && (!$available_gid_ttyrec || !scalar(getgrgid($next + OVH::Bastion::config('ttyrecGroupIdOffset')->value))) ) { @@ -170,11 +171,11 @@ sub is_bastion_account_valid_and_existing { # check if account name is valid, i.e. non-weird chars and non reserved parts sub is_account_valid { - my %params = @_; - my $account = $params{'account'}; - my $accountType = $params{'accountType'} || 'normal'; # normal (local account or $realm/$remoteself formatted account) | group (must start with key*) | realm (must start with realm_*) - my $localOnly = $params{'localOnly'}; # for accountType == normal, disallow realm-formatted accounts ($realm/$remoteself) - my $realmOnly = $params{'realmOnly'}; # for accountType == normal, allow only realm-formatted accounts ($realm/$remoteself) + my %params = @_; + my $account = $params{'account'}; + my $accountType = $params{'accountType'} || 'normal'; # normal (local account or $realm/$remoteself formatted account) | group (must start with key*) | realm (must start with realm_*) + my $localOnly = $params{'localOnly'}; # for accountType == normal, disallow realm-formatted accounts ($realm/$remoteself) + my $realmOnly = $params{'realmOnly'}; # for accountType == normal, allow only realm-formatted accounts ($realm/$remoteself) if (!$account) { return R('ERR_MISSING_PARAMETER', msg => "Missing parameter 'account'"); @@ -226,7 +227,7 @@ sub is_account_valid { elsif (length($2) < 2) { return R('KO_TOO_SMALL', msg => "Remote account name is too short, length($2) < 2"); } - return R('OK', value => {sysaccount => "realm_$1", realm => $1, remoteaccount => $2, account => "$1/$2"}); # untainted + return R('OK', value => {sysaccount => "realm_$1", realm => $1, remoteaccount => $2, account => "$1/$2"}); # untainted } elsif ($account =~ m/^([a-zA-Z0-9._-]+)$/) { if (length($1) < 2) { @@ -237,7 +238,7 @@ sub is_account_valid { elsif (length($1) > 28) { return R('KO_TOO_LONG', msg => "$whatis name is too long, length($1) > 28"); } - return R('OK', value => {sysaccount => $1, realm => undef, remoteaccount => undef, account => $1}); # untainted + return R('OK', value => {sysaccount => $1, realm => undef, remoteaccount => undef, account => $1}); # untainted } else { return R('KO_FORBIDDEN_CHARS', msg => "$whatis name contains forbidden characters $account"); @@ -282,13 +283,13 @@ sub is_account_existing { $entry{'name'} = $newname; # untaint if ($checkBastionShell && $entry{'shell'} ne $OVH::Bastion::BASEPATH . "/bin/shell/osh.pl") { - return R('KO_NOT_FOUND', msg => "Account '$account' doesn't exist"); # msg is the same as below, voluntarily + return R('KO_NOT_FOUND', msg => "Account '$account' doesn't exist"); # msg is the same as below, voluntarily } - my ($newdir) = $entry{'dir'} =~ m{([/a-zA-Z0-9._-]+)}; # untaint + my ($newdir) = $entry{'dir'} =~ m{([/a-zA-Z0-9._-]+)}; # untaint return R('ERR_SECURITY_VIOLATION', msg => "Forbidden characters in account home directory") if ($newdir ne $entry{'dir'}); - $entry{'dir'} = $newdir; # untaint + $entry{'dir'} = $newdir; # untaint return R('OK', value => {uid => $entry{'uid'}, gid => $entry{'gid'}, dir => $entry{'dir'}, account => $entry{'name'}}); } @@ -299,11 +300,11 @@ sub is_account_existing { sub access_modify { my %params = @_; - my $action = $params{'action'}; # add or del + my $action = $params{'action'}; # add or del - my $user = $params{'user'}; # can be undef or '*' for a user-wildcard access - my $ip = $params{'ip'}; # can be a single ip or prefix - my $port = $params{'port'}; # can be undef or '*' for a port-wildcard access + my $user = $params{'user'}; # can be undef or '*' for a user-wildcard access + my $ip = $params{'ip'}; # can be a single ip or prefix + my $port = $params{'port'}; # can be undef or '*' for a port-wildcard access my $ttl = $params{'ttl'}; my $comment = $params{'comment'}; @@ -583,7 +584,7 @@ sub access_modify { # build the line we're either adding or looking for (to delete it) my $entry = (index($ip, ':') >= 0 ? "[$ip]" : $ip); - $entry .= ":$port" if $port; + $entry .= ":$port" if $port; $entry = $user . '@' . $entry if $user; my $t = localtime(time); @@ -1169,7 +1170,7 @@ sub is_group_member { sub get_remote_accounts_from_realm { my %params = @_; my $realm = $params{'realm'}; - my $cache = $params{'cache'}; # allow cache use of sys_getpw_name() through is_bastion_account_valid_and_existing() + my $cache = $params{'cache'}; # allow cache use of sys_getpw_name() through is_bastion_account_valid_and_existing() $realm = "realm_$realm" if $realm !~ /^realm_/; my $fnret = diff --git a/lib/perl/OVH/Bastion/configuration.inc b/lib/perl/OVH/Bastion/configuration.inc index 34ed976cc..0683e6340 100644 --- a/lib/perl/OVH/Bastion/configuration.inc +++ b/lib/perl/OVH/Bastion/configuration.inc @@ -144,9 +144,9 @@ sub load_configuration { default => 'fix-my-config-please-missing-bastion-name', validre => qr/^([a-zA-Z0-9_.-]+)$/ }, - {name => 'bastionCommand', default => "ssh ACCOUNT\@HOSTNAME -t -- ", validre => qr/^(.+)$/}, - {name => 'defaultLogin', default => "", validre => qr/^([a-zA-Z0-9_.-]*)$/, emptyok => 1}, - {name => 'moshCommandLine', default => "", validre => qr/^(.*)$/, emptyok => 1}, + {name => 'bastionCommand', default => "ssh ACCOUNT\@HOSTNAME -t -- ", validre => qr/^(.+)$/}, + {name => 'defaultLogin', default => "", validre => qr/^([a-zA-Z0-9_.-]*)$/, emptyok => 1}, + {name => 'moshCommandLine', default => "", validre => qr/^(.*)$/, emptyok => 1}, { name => 'documentationURL', default => "https://ovh.github.io/the-bastion/", @@ -162,7 +162,7 @@ sub load_configuration { {name => 'accountExpiredMessage', default => '', validre => qr/^(.*)$/, emptyok => 1}, {name => 'fanciness', default => 'full', validre => qr/^((none|boomer)|(basic|millenial)|(full|genz))$/}, {name => 'accountExternalValidationProgram', default => '', validre => qr'^([a-zA-Z0-9/$_.-]*)$', emptyok => 1}, - {name => 'ttyrecStealthStdoutPattern', default => '', validre => qr'^(.{0,4096})$', emptyok => 1}, + {name => 'ttyrecStealthStdoutPattern', default => '', validre => qr'^(.{0,4096})$', emptyok => 1}, ) { if (!$C->{$o->{'name'}} && !$o->{'emptyok'}) { @@ -238,7 +238,7 @@ sub load_configuration { sprintf( "Configuration error: value of option '%s' (%s) is higher than allowed value (%s), defaulting to %s", $o->{'name'}, $C->{$o->{'name'}}, - $o->{'max'}, $o->{'default'} + $o->{'max'}, $o->{'default'} ); $C->{$o->{'name'}} = $o->{'default'}; } @@ -247,7 +247,7 @@ sub load_configuration { sprintf( "Configuration error: value of option '%s' (%s) is lower than allowed value (%s), defaulting to %s", $o->{'name'}, $C->{$o->{'name'}}, - $o->{'min'}, $o->{'default'} + $o->{'min'}, $o->{'default'} ); $C->{$o->{'name'}} = $o->{'default'}; } @@ -266,7 +266,7 @@ sub load_configuration { qw{ enableSyslog enableGlobalAccessLog enableAccountAccessLog enableGlobalSqlLog enableAccountSqlLog displayLastLogin interactiveModeByDefault interactiveModeProactiveMFAenabled IPv4Allowed - } + } ], }, { @@ -276,7 +276,7 @@ sub load_configuration { interactiveModeAllowed readOnlySlaveMode sshClientHasOptionE ingressKeysFromAllowOverride moshAllowed debug keyboardInteractiveAllowed passwordAllowed telnetAllowed remoteCommandEscapeByDefault accountExternalValidationDenyOnFailure ingressRequirePIV IPv6Allowed sshAddKeysToAgentAllowed - } + } ], } ) @@ -658,8 +658,8 @@ sub account_config { my $account = $params{'account'} || OVH::Bastion::get_user_from_env()->value; my $key = $params{'key'}; my $value = $params{'value'}; # only for setter - my $delete = $params{'delete'}; # if true, delete the config param entirely - my $public = $params{'public'}; # if true, check in /home/allowkeeper/$account instead of /home/$account + my $delete = $params{'delete'}; # if true, delete the config param entirely + my $public = $params{'public'}; # if true, check in /home/allowkeeper/$account instead of /home/$account my $fnret; if (my @missingParameters = grep { not defined $params{$_} } qw{ account key }) { @@ -702,7 +702,7 @@ sub account_config { elsif (defined $value) { # setter mode - unlink($filename); # remove any previous value + unlink($filename); # remove any previous value my $fh; if (!sysopen($fh, $filename, O_RDWR | O_CREAT | O_EXCL)) # sysopen: avoid symlink attacks { @@ -890,7 +890,7 @@ sub group_config { elsif (defined $value) { # setter mode - unlink($filename); # remove any previous value + unlink($filename); # remove any previous value my $fh; if (!sysopen($fh, $filename, O_RDWR | O_CREAT | O_EXCL)) # sysopen: avoid symlink attacks { diff --git a/lib/perl/OVH/Bastion/execute.inc b/lib/perl/OVH/Bastion/execute.inc index f240a47c9..65a1b1cbf 100644 --- a/lib/perl/OVH/Bastion/execute.inc +++ b/lib/perl/OVH/Bastion/execute.inc @@ -61,17 +61,17 @@ sub _set_non_blocking { ## no critic(ControlStructures::ProhibitDeepNests) sub execute { - my %params = @_; - my $cmd = $params{'cmd'}; # command to execute, must be an array ref (with possible parameters) - my $expects_stdin = $params{'expects_stdin'}; # the command called expects stdin, pipe caller stdin to it - my $noisy_stdout = $params{'noisy_stdout'}; # capture stdout but print it too - my $noisy_stderr = $params{'noisy_stderr'}; # capture stderr but print it too - my $is_helper = $params{'is_helper'}; # hide JSON returns from stdout even if noisy_stdout - my $is_binary = $params{'is_binary'}; # used for e.g. scp, don't bother mimicking readline(), we lose debug and stdout/stderr are NOT returned to caller - my $stdin_str = $params{'stdin_str'}; # string to push to the STDIN of the command - my $must_succeed = $params{'must_succeed'}; # if the executed command returns a non-zero exit value, turn OK_NON_ZERO_EXIT to ERR_NON_ZERO_EXIT - my $max_stdout_bytes = $params{'max_stdout_bytes'}; # if the amount of stored stdout bytes exceeds this, halt the command and return to caller - my $system = $params{'system'}; # if set to 1, will use system() instead of open3(), needed for some plugins + my %params = @_; + my $cmd = $params{'cmd'}; # command to execute, must be an array ref (with possible parameters) + my $expects_stdin = $params{'expects_stdin'}; # the command called expects stdin, pipe caller stdin to it + my $noisy_stdout = $params{'noisy_stdout'}; # capture stdout but print it too + my $noisy_stderr = $params{'noisy_stderr'}; # capture stderr but print it too + my $is_helper = $params{'is_helper'}; # hide JSON returns from stdout even if noisy_stdout + my $is_binary = $params{'is_binary'}; # used for e.g. scp, don't bother mimicking readline(), we lose debug and stdout/stderr are NOT returned to caller + my $stdin_str = $params{'stdin_str'}; # string to push to the STDIN of the command + my $must_succeed = $params{'must_succeed'}; # if the executed command returns a non-zero exit value, turn OK_NON_ZERO_EXIT to ERR_NON_ZERO_EXIT + my $max_stdout_bytes = $params{'max_stdout_bytes'}; # if the amount of stored stdout bytes exceeds this, halt the command and return to caller + my $system = $params{'system'}; # if set to 1, will use system() instead of open3(), needed for some plugins $noisy_stderr = $noisy_stdout = 1 if ($ENV{'PLUGIN_DEBUG'} or $is_binary); my $fnret; @@ -434,9 +434,9 @@ sub execute { # while execute_simple() uses a buffer of 16K instead, which is several orders of # magnitude faster for commands outputting large amounts of data (several megabytes) for example. sub execute_simple { - my %params = @_; - my $cmd = $params{'cmd'}; # command to execute, must be an array ref (with possible parameters) - my $must_succeed = $params{'must_succeed'}; # if the executed command returns a non-zero exit value, turn OK_NON_ZERO_EXIT to ERR_NON_ZERO_EXIT + my %params = @_; + my $cmd = $params{'cmd'}; # command to execute, must be an array ref (with possible parameters) + my $must_succeed = $params{'must_succeed'}; # if the executed command returns a non-zero exit value, turn OK_NON_ZERO_EXIT to ERR_NON_ZERO_EXIT my $fnret; require Scalar::Util; diff --git a/lib/perl/OVH/Bastion/interactive.inc b/lib/perl/OVH/Bastion/interactive.inc index 5e75dc253..399654333 100644 --- a/lib/perl/OVH/Bastion/interactive.inc +++ b/lib/perl/OVH/Bastion/interactive.inc @@ -207,8 +207,8 @@ EOM # handle ^C to clear the current prompt POSIX::sigaction POSIX::SIGINT, POSIX::SigAction->new( sub { - print "\n"; # ensure we are on a new line - $term->on_new_line(); # print the prompt + print "\n"; # ensure we are on a new line + $term->on_new_line(); # print the prompt $term->replace_line("", 0); # clear the previous text $term->redisplay(); } @@ -217,7 +217,7 @@ EOM my $BASTION_USER = OVH::Bastion::get_user_from_env()->value; alarm($interactiveModeTimeout); while (defined(my $line = $term->readline(_get_prompt($self, $bastionName, $slaveOrMaster)))) { - alarm(0); # disable timeout + alarm(0); # disable timeout $line =~ s/^\s+|\s+$//g; # disable proactive MFA if it has expired. Even if the user just typed "enter" with no command. diff --git a/lib/perl/OVH/Bastion/log.inc b/lib/perl/OVH/Bastion/log.inc index 555650cf7..a408a43bb 100644 --- a/lib/perl/OVH/Bastion/log.inc +++ b/lib/perl/OVH/Bastion/log.inc @@ -14,7 +14,7 @@ sub syslog { my ($criticity, $message) = @_; if (not OVH::Bastion::config('enableSyslog')->value()) { - return 1; # don't do anything + return 1; # don't do anything } if (not $_syslog_inited) { @@ -52,7 +52,7 @@ sub syslogFormatted { # do NOT use warn_syslog in this func, or we would loop. warn() is fine. my %params = @_; my $criticity = $params{'criticity'} || 'info'; - my $type = $params{'type'} || 'unknown'; + my $type = $params{'type'} || 'unknown'; my $fieldsref = $params{'fields'}; if (ref $fieldsref ne 'ARRAY') { @@ -63,14 +63,14 @@ sub syslogFormatted { my @fields = @$fieldsref; - unshift @fields, ['gid', ((split(/ /, $)))[0])]; + unshift @fields, ['gid', ((split(/ /, $)))[0])]; unshift @fields, ['uid', $>]; unshift @fields, ['sudo_user', $ENV{'SUDO_USER'}]; unshift @fields, ['sysuser', OVH::Bastion::get_user_from_env()->value]; unshift @fields, ['ppid', getppid()]; unshift @fields, ['pid', $$]; unshift @fields, ['version', $OVH::Bastion::VERSION]; - unshift @fields, ['uniqid', ($ENV{'UNIQID'} || '-')]; + unshift @fields, ['uniqid', ($ENV{'UNIQID'} || '-')]; my @msg = ($type); if (($type eq 'die' || $type eq 'warn') && $criticity eq 'info') { @@ -457,9 +457,9 @@ sub log_access_insert { # 2/3) push to syslog, we'll also say if any sqlinsert failed through globalsql/accountsql # even if syslog is disabled, syslogFormatted() will return a oneline $msg that we'll use afterwards my @fields = ( - ['account', $account], - ['cmdtype', $params{'cmdtype'}], - ['allowed', ($params{'allowed'} ? 'true' : 'false')], + ['account', $account], + ['cmdtype', $params{'cmdtype'}], + ['allowed', ($params{'allowed'} ? 'true' : 'false')], ['ip_from', $params{'ipfrom'}], ['port_from', $params{'portfrom'}], ['host_from', $params{'hostfrom'}], diff --git a/lib/perl/OVH/Bastion/password.inc b/lib/perl/OVH/Bastion/password.inc index f3a7da784..558cf88f3 100644 --- a/lib/perl/OVH/Bastion/password.inc +++ b/lib/perl/OVH/Bastion/password.inc @@ -32,7 +32,7 @@ sub _get_salt { my %params = @_; my $password = $params{'password'}; my $nonce = $params{'nonce'} || $password; - my $len = $params{'len'} || 4; + my $len = $params{'len'} || 4; if ($len > 16) { return R('ERR_INVALID_PARAMETER', msg => "Expected a len <= 16"); diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc index 1fd2e9151..cccb28643 100644 --- a/lib/perl/OVH/Bastion/ssh.inc +++ b/lib/perl/OVH/Bastion/ssh.inc @@ -40,7 +40,7 @@ sub verify_piv { require JSON; $keyPivInfo = JSON::decode_json($fnret->value->{'stdout'}->[0]); }; - return R('OK', value => $keyPivInfo); # keyPivInfo can be undef if JSON decode failed, but the key is still a valid one + return R('OK', value => $keyPivInfo); # keyPivInfo can be undef if JSON decode failed, but the key is still a valid one } sub get_authorized_keys_from_file { @@ -110,8 +110,8 @@ sub get_authorized_keys_from_file { $key->{'err'} = $fnret->err; $key->{'index'} = $i; $key->{'pivAttestationCertificate'} = $pivAttestationCertificate if $pivAttestationCertificate; - $key->{'pivKeyCertificate'} = $pivKeyCertificate if $pivKeyCertificate; - $key->{'info'} = $info if $info; + $key->{'pivKeyCertificate'} = $pivKeyCertificate if $pivKeyCertificate; + $key->{'info'} = $info if $info; if ($pivAttestationCertificate && $pivKeyCertificate) { $fnret = OVH::Bastion::verify_piv( key => $key->{'line'}, @@ -144,8 +144,8 @@ sub add_key_to_authorized_keys_file { my $key = $params{'key'}; my $fnret; - return R('ERR_MISSING_PARAMETER', msg => "Missing argument 'file'") if not $file; - return R('KO_NO_SUCH_FILE', msg => "Specified file ($file) doesn't exist") if not -f $file; + return R('ERR_MISSING_PARAMETER', msg => "Missing argument 'file'") if not $file; + return R('KO_NO_SUCH_FILE', msg => "Specified file ($file) doesn't exist") if not -f $file; if (!$key) { return R('ERR_MISSING_PARAMETER', msg => "Missing key param"); } @@ -312,7 +312,7 @@ sub get_ssh_pub_key_info { } my $line = "$typecode $base64"; $prefix = '' if not defined $prefix; - $line .= " " . $comment if $comment; + $line .= " " . $comment if $comment; $line = $prefix . " " . $line if $prefix; my @fromList; if ($prefix =~ /^from=["']([^ "']+)/) { @@ -353,11 +353,12 @@ sub get_ssh_pub_key_info { chomp $sshkeygen; } -=cut +=begin comment 2048 01:c0:37:5e:b4:bf:00:b6:ef:d3:65:a7:5c:60:b1:81 john@doe (RSA) 521 af:84:cd:70:34:64:ca:51:b2:17:1a:85:3b:53:2e:52 john@doe (ECDSA) 1024 c0:4d:f7:bf:55:1f:95:59:be:7e:50:47:e4:81:c3:6a john@doe (DSA) 256 SHA256:Yggd7VRRbbivxkdVwrdt0HpqKNylMK91nNIU+RxndTI john@doe (ED25519) +=end comment =cut if (defined $sshkeygen and $sshkeygen =~ /^(\d+)\s+(\S+)\s+(.+)\s+\(([A-Z0-9-]+)\)$/) { @@ -456,7 +457,7 @@ EOS sub get_from_for_user_key { my %params = @_; my $userProvidedIpList = $params{'userProvidedIpList'} || []; # arrayref - my $forcedList = $params{'forcedList'} || []; # arrayref + my $forcedList = $params{'forcedList'} || []; # arrayref my $key = $params{'key'}; my $ingressKeysFrom = OVH::Bastion::config('ingressKeysFrom'); @@ -567,8 +568,8 @@ sub generate_ssh_key { if (not -e $file) { return R('ERR_SSH_KEYGEN_FAILED', msg => "Couldn't find generated key ($file)"); } - chown $uid, -1, $file if defined $uid; - chown -1, $gid, $file if defined $gid; + chown $uid, -1, $file if defined $uid; + chown -1, $gid, $file if defined $gid; chmod $chmod, $file; } return R('OK', value => {file => $sshKeyName}); @@ -790,8 +791,8 @@ sub print_public_key { $key->{'fingerprint'} || 'INVALID_FINGERPRINT', $key->{'family'} || 'INVALID_FAMILY', $key->{'size'}, - defined $id ? "ID = $id" : POSIX::strftime("%Y/%m/%d", localtime($key->{'mtime'})), - $err eq 'OK' ? '' : ' ***<<' . $err . '>>***', + defined $id ? "ID = $id" : POSIX::strftime("%Y/%m/%d", localtime($key->{'mtime'})), + $err eq 'OK' ? '' : ' ***<<' . $err . '>>***', ) ); @@ -1052,7 +1053,7 @@ sub is_effective_piv_account_policy_enabled { sub print_accepted_key_algorithms { my %params = @_; my $way = $params{'way'}; - my $fido = ($params{'fido'} // 1); + my $fido = ($params{'fido'} // 1); my $generate = ($params{'generate'} // 1); my $fnret; diff --git a/lib/perl/OVH/Result.pm b/lib/perl/OVH/Result.pm index 39c8df472..91f058395 100644 --- a/lib/perl/OVH/Result.pm +++ b/lib/perl/OVH/Result.pm @@ -16,7 +16,7 @@ use overload ( '""' => \&msg, ); -sub new { ## no critic (ArgUnpacking) +sub new { ## no critic (ArgUnpacking) my $type = shift; my %params = @_; my $err = $params{'err'}; diff --git a/lib/perl/OVH/SimpleLog.pm b/lib/perl/OVH/SimpleLog.pm index efbb7e438..b92e49d36 100644 --- a/lib/perl/OVH/SimpleLog.pm +++ b/lib/perl/OVH/SimpleLog.pm @@ -64,9 +64,9 @@ sub closeSyslog { return 1; } -sub _log { _display('LOG', @_); return 1; } ## no critic (ProhibitUnusedPrivateSubroutines) +sub _log { _display('LOG', @_); return 1; } ## no critic (ProhibitUnusedPrivateSubroutines) sub _warn { _display('WARN', @_); $NB_WARNINGS++; return 1; } -sub _err { _display('ERR', @_); $NB_ERRORS++; return 1; } ## no critic (ProhibitUnusedPrivateSubroutines) +sub _err { _display('ERR', @_); $NB_ERRORS++; return 1; } ## no critic (ProhibitUnusedPrivateSubroutines) # Display a message sub _display { @@ -126,7 +126,7 @@ sub nb_errors { return $NB_ERRORS; } sub nb_warnings { return $NB_WARNINGS; } END { - close($LOG_FH) if (defined $LOG_FH); + close($LOG_FH) if (defined $LOG_FH); Sys::Syslog::closelog() if (defined $FACILITY); } diff --git a/lib/shell/install.inc b/lib/shell/install.inc index 0817e828c..89eed213b 100644 --- a/lib/shell/install.inc +++ b/lib/shell/install.inc @@ -30,6 +30,7 @@ set_download_url() { wget $verbosity -O - --header="Accept: application/vnd.github.v3+json" "$1" || true } _download() { + # shellcheck disable=SC2317,SC2086 wget $verbosity "$1" } elif command -v fetch >/dev/null; then @@ -39,6 +40,7 @@ set_download_url() { fetch $verbosity -o - "$1" || true } _download() { + # shellcheck disable=SC2317,SC2086 fetch $verbosity "$1" } elif command -v curl >/dev/null; then @@ -49,6 +51,7 @@ set_download_url() { curl $verbosity -L -H 'Accept: application/vnd.github.v3+json' "$1" || true } _download() { + # shellcheck disable=SC2317,SC2086 curl $verbosity -L -O "$1" } else @@ -57,8 +60,6 @@ set_download_url() { fi action_doing "Getting latest release for arch $arch..." payload=$(mktemp) - # shellcheck disable=SC2064 - trap "rm -f $payload" EXIT # shellcheck disable=SC2034 for try in 1 2; do @@ -91,6 +92,7 @@ set_download_url() { if [ -n "$url" ]; then # success action_detail "$url" + test -f "$payload" && rm -f "$payload" return 0 elif [ -z "$urls" ]; then action_error "Couldn't find any URL in the returned body, did we hit the query limit? Body follows:" @@ -104,6 +106,7 @@ set_download_url() { for line in $urls; do action_detail "$line" done + test -f "$payload" && rm -f "$payload" exit 1 fi done diff --git a/tests/functional/docker/docker_build_and_run_tests.sh b/tests/functional/docker/docker_build_and_run_tests.sh index ef128ddfd..65128d2ea 100755 --- a/tests/functional/docker/docker_build_and_run_tests.sh +++ b/tests/functional/docker/docker_build_and_run_tests.sh @@ -154,11 +154,13 @@ cleanup() { docker network rm "bastion-$target" >/dev/null } +# shellcheck disable=SC2317 cleanup_exit() { show_target_logs cleanup } +# shellcheck disable=SC2317 cleanup_int() { printf "%b%b%b\\n" "$WHITE_ON_RED" '>>> CLEANING UP, DO NOT CTRL+C AGAIN! <<<' "$NOC" cleanup diff --git a/tests/functional/docker/docker_build_and_run_tests_all.sh b/tests/functional/docker/docker_build_and_run_tests_all.sh index 447e85e4a..7d0093fc5 100755 --- a/tests/functional/docker/docker_build_and_run_tests_all.sh +++ b/tests/functional/docker/docker_build_and_run_tests_all.sh @@ -22,9 +22,10 @@ sleep 5 echo "GO!" tempdir=$(mktemp -d) +# shellcheck disable=SC2317 cleanup() { - test -d "$tempdir" && rm -rf "$tempdir" - docker ps | grep -Eo 'bastion_.*_(target|tester)$' | xargs -r docker kill + test -d "$tempdir" && rm -rf "$tempdir" + docker ps | grep -Eo 'bastion_.*_(target|tester)$' | xargs -r docker kill } trap 'cleanup' EXIT diff --git a/tests/functional/docker/target_role.sh b/tests/functional/docker/target_role.sh index 1f5172b23..944b2f271 100755 --- a/tests/functional/docker/target_role.sh +++ b/tests/functional/docker/target_role.sh @@ -130,12 +130,12 @@ elif [ "$OS_FAMILY" = OpenBSD ] || [ "$OS_FAMILY" = FreeBSD ] || [ "$OS_FAMILY" : "${nic:=lo0}" i=2 while [ $i -lt 20 ] ; do - ifconfig $nic 127.0.0.$i netmask 255.0.0.0 alias + ifconfig "$nic" 127.0.0.$i netmask 255.0.0.0 alias (( i++ )) done - ifconfig $nic 127.7.7.7 netmask 255.0.0.0 alias + ifconfig "$nic" 127.7.7.7 netmask 255.0.0.0 alias echo "Added a few local IP aliases" - ifconfig $nic + ifconfig "$nic" set +e for st in restart onestart diff --git a/tests/functional/launch_tests_on_instance.sh b/tests/functional/launch_tests_on_instance.sh index 50d318bd2..de833e5be 100755 --- a/tests/functional/launch_tests_on_instance.sh +++ b/tests/functional/launch_tests_on_instance.sh @@ -1,8 +1,6 @@ #! /usr/bin/env bash # vim: set filetype=sh ts=4 sw=4 sts=4 et: -# shellcheck disable=SC2086 -# shellcheck disable=SC2016 -# shellcheck disable=SC2046 +# shellcheck disable=SC2086,SC2016,SC2046,SC2317 set -eu # ensure a sparse '*' somewhere doesn't end up in us expanding it silently diff --git a/tests/functional/tests.d/200-scripts.sh b/tests/functional/tests.d/200-scripts.sh index 348682b5e..6656013a2 100644 --- a/tests/functional/tests.d/200-scripts.sh +++ b/tests/functional/tests.d/200-scripts.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/300-activeness.sh b/tests/functional/tests.d/300-activeness.sh index cf129b97f..95cc1ad83 100644 --- a/tests/functional/tests.d/300-activeness.sh +++ b/tests/functional/tests.d/300-activeness.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/305-admin-superowner.sh b/tests/functional/tests.d/305-admin-superowner.sh index 0a1b71863..ef88a7acc 100644 --- a/tests/functional/tests.d/305-admin-superowner.sh +++ b/tests/functional/tests.d/305-admin-superowner.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/310-realm.sh b/tests/functional/tests.d/310-realm.sh index 7b79b6e36..b0decd3e9 100644 --- a/tests/functional/tests.d/310-realm.sh +++ b/tests/functional/tests.d/310-realm.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/320-base.sh b/tests/functional/tests.d/320-base.sh index be3fc6fe6..1ca860a28 100644 --- a/tests/functional/tests.d/320-base.sh +++ b/tests/functional/tests.d/320-base.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/325-accountinfo.sh b/tests/functional/tests.d/325-accountinfo.sh index e1d77dffe..fe1dfbb3b 100644 --- a/tests/functional/tests.d/325-accountinfo.sh +++ b/tests/functional/tests.d/325-accountinfo.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/330-selfkeys.sh b/tests/functional/tests.d/330-selfkeys.sh index b211abaf4..769d06da3 100644 --- a/tests/functional/tests.d/330-selfkeys.sh +++ b/tests/functional/tests.d/330-selfkeys.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/340-selfaccesses.sh b/tests/functional/tests.d/340-selfaccesses.sh index f28ca7f15..2e5b9ad94 100644 --- a/tests/functional/tests.d/340-selfaccesses.sh +++ b/tests/functional/tests.d/340-selfaccesses.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/341-selfaccesses-force-password.sh b/tests/functional/tests.d/341-selfaccesses-force-password.sh index ff2786400..65f0e5716 100644 --- a/tests/functional/tests.d/341-selfaccesses-force-password.sh +++ b/tests/functional/tests.d/341-selfaccesses-force-password.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/345-assetforgethostkey.sh b/tests/functional/tests.d/345-assetforgethostkey.sh index 1559e20d6..1ba6dff6f 100644 --- a/tests/functional/tests.d/345-assetforgethostkey.sh +++ b/tests/functional/tests.d/345-assetforgethostkey.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/346-testagentforward.sh b/tests/functional/tests.d/346-testagentforward.sh index fdb41d82c..ff564b47f 100644 --- a/tests/functional/tests.d/346-testagentforward.sh +++ b/tests/functional/tests.d/346-testagentforward.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/350-groups.sh b/tests/functional/tests.d/350-groups.sh index f899fdbee..a182c63ca 100644 --- a/tests/functional/tests.d/350-groups.sh +++ b/tests/functional/tests.d/350-groups.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy @@ -996,7 +996,7 @@ EOS contain '1 accesses listed' # test groupSetServers here, then restore the previous ACL so the tests can continue - # shellcheck disable=SC1004 + # shellcheck disable=SC2317,SC1004 script groupSetServers_valid_dryrun $a1 --osh groupSetServers --group $group1 --dry-run '< <(printf \ "%s\n%s\n%s\n" \ "user@127.0.0.1:1234 comment with spaces" \ @@ -1008,7 +1008,7 @@ EOS json '.value.ACL[1].user' null '.value.ACL[1].ip' 127.0.0.1 '.value.ACL[1].port' null '.value.ACL[1].comment' null json '.value.ACL[2].user' null '.value.ACL[2].ip' 0.0.0.0/4 '.value.ACL[2].port' 42 '.value.ACL[2].comment' null - # shellcheck disable=SC1004 + # shellcheck disable=SC2317,SC1004 script groupSetServers_invalid $a1 --osh groupSetServers --group $group1 --dry-run '< <(printf \ "%s\n%s\n%s\n%s\n" \ "inva{}lid@127.0.0.1" \ @@ -1019,7 +1019,7 @@ EOS json .command groupSetServers .error_code ERR_INVALID_PARAMETER .value.parsedLines 4 '.value.errors|length' 4 .value.dryrun true # restore the previous ACL - # shellcheck disable=SC1004 + # shellcheck disable=SC2317,SC1004 script groupSetServers_valid_skiperrors $a1 --osh groupSetServers --group $group1 --skip-errors '< <(printf \ "%s\n%s\n%s\n%s\n%s\n" \ "g1@127.0.0.1:22" \ diff --git a/tests/functional/tests.d/355-ipv6.sh b/tests/functional/tests.d/355-ipv6.sh index f733fa76f..5d40c5c2e 100644 --- a/tests/functional/tests.d/355-ipv6.sh +++ b/tests/functional/tests.d/355-ipv6.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/360-plugins.sh b/tests/functional/tests.d/360-plugins.sh index 0706e75cf..2969fd19d 100644 --- a/tests/functional/tests.d/360-plugins.sh +++ b/tests/functional/tests.d/360-plugins.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/370-mfa.sh b/tests/functional/tests.d/370-mfa.sh index ac19c94ae..0260ad3a3 100644 --- a/tests/functional/tests.d/370-mfa.sh +++ b/tests/functional/tests.d/370-mfa.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/380-config-options.sh b/tests/functional/tests.d/380-config-options.sh index 46f980afc..1f2a3d57c 100644 --- a/tests/functional/tests.d/380-config-options.sh +++ b/tests/functional/tests.d/380-config-options.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/390-mfa-realm.sh b/tests/functional/tests.d/390-mfa-realm.sh index dbb86c1ef..2ebeb6687 100644 --- a/tests/functional/tests.d/390-mfa-realm.sh +++ b/tests/functional/tests.d/390-mfa-realm.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/395-mfa-scp-sftp-rsync.sh b/tests/functional/tests.d/395-mfa-scp-sftp-rsync.sh index b854e71f7..253bfb7c2 100644 --- a/tests/functional/tests.d/395-mfa-scp-sftp-rsync.sh +++ b/tests/functional/tests.d/395-mfa-scp-sftp-rsync.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/400-piv.sh b/tests/functional/tests.d/400-piv.sh index 05791e2ba..0e845085e 100644 --- a/tests/functional/tests.d/400-piv.sh +++ b/tests/functional/tests.d/400-piv.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/functional/tests.d/500-http-proxy.sh b/tests/functional/tests.d/500-http-proxy.sh index 1ed5da9ba..a9d9fc04b 100644 --- a/tests/functional/tests.d/500-http-proxy.sh +++ b/tests/functional/tests.d/500-http-proxy.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy @@ -117,7 +117,7 @@ testsuite_proxy() contain "This account doesn't have access to this user@host tuple (Access denied for $account0 to test@127.0.0.1:9443)" # add ourselves access - success add_personal_access $a0 --osh selfAddPersonalAccess --host 127.0.0.1 --port 9443 --user test --force + success add_personal_access $a0 --osh selfAddPersonalAccess --host 127.0.0.1 --port-any --user test --force json .command selfAddPersonalAccess .error_code OK script missing_egress_pwd "curl -ski -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}" @@ -244,20 +244,28 @@ testsuite_proxy() # use alternate config to only allow http egress success config_swap $r0 "\"mv /etc/bastion/osh-http-proxy.conf /etc/bastion/osh-http-proxy-normal.conf; mv /etc/bastion/osh-http-proxy-httponly.conf /etc/bastion/osh-http-proxy.conf\"" + # when daemon will restart, it'll log stuff, ignore it + ignorecodewarn 'osh-http-proxy-daemon' # pkill doesn't work well under FreeBSD, so do it ourselves for all OSes success force_restart $r0 "\"ps -U proxyhttp -o pid,command | grep -v PID | awk '{print \\\$1}' | xargs -r kill; true\"" - [ "$COUNTONLY" != 1 ] && sleep 2 + if [ "$COUNTONLY" != 1 ]; then + # wait for target_role.sh to restart the daemon + sleep 4 + fi + # when daemon will restart, it'll log stuff, ignore it + ignorecodewarn 'osh-http-proxy-daemon' # http should be allowed now - script allowed_http_egress "curl -ski -H 'X-Bastion-Egress-Protocol: http' -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test 2>&1 | cat; exit \${PIPESTATUS[0]}" + script allowed_http_egress "curl -ski -H 'X-Bastion-Egress-Protocol: http' -u '$account0@test@127.0.0.1%22:$proxy_password' https://$remote_ip:$remote_proxy_port/test 2>&1 | cat; exit \${PIPESTATUS[0]}" retvalshouldbe 0 - contain 'HTTP/1.0 500 Status read failed: Connection reset by peer' + contain 'HTTP/1.0 200' contain 'Server: The Bastion' contain 'X-Bastion-Instance: ' contain 'X-Bastion-ReqID: ' contain 'X-Bastion-Local-Status: 200 OK' nocontain 'WWW-Authenticate: ' nocontain "X-Bastion-Remote-Client-SSL" + contain 'SSH-2.0' # and https disallowed script forbidden_https_egress "curl -ski -u '$account0@test@127.0.0.1%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}" @@ -271,7 +279,7 @@ testsuite_proxy() contain 'not allowed by policy' # try an IPv6 - script ipv6 "curl -ski -H 'X-Bastion-Egress-Protocol: http' -u '$account0@test@[::1]%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit ${PIPESTATUS[0]}" + script ipv6 "curl -ski -H 'X-Bastion-Egress-Protocol: http' -u '$account0@test@[::1]%9443:$proxy_password' https://$remote_ip:$remote_proxy_port/test | cat; exit \${PIPESTATUS[0]}" retvalshouldbe 0 contain 'ERR_IP_VERSION_DISABLED' } diff --git a/tests/functional/tests.d/900-strict-checking.sh b/tests/functional/tests.d/900-strict-checking.sh index cb705b0b2..6ff3ed55f 100644 --- a/tests/functional/tests.d/900-strict-checking.sh +++ b/tests/functional/tests.d/900-strict-checking.sh @@ -1,6 +1,6 @@ # vim: set filetype=sh ts=4 sw=4 sts=4 et: # shellcheck shell=bash -# shellcheck disable=SC2086,SC2016,SC2046 +# shellcheck disable=SC2317,SC2086,SC2016,SC2046 # below: convoluted way that forces shellcheck to source our caller # shellcheck source=tests/functional/launch_tests_on_instance.sh . "$(dirname "${BASH_SOURCE[0]}")"/dummy diff --git a/tests/unit/tests/base.t b/tests/unit/tests/base.t index b707d2a9f..04c61b0ce 100644 --- a/tests/unit/tests/base.t +++ b/tests/unit/tests/base.t @@ -41,9 +41,9 @@ OVH::Bastion::set_mock_data( OVH::Bastion::load_configuration( mock_data => { ingressToEgressRules => [ - [["10.19.0.0/16", "10.15.15.0/24"], ["10.20.0.0/16"], "ALLOW-EXCLUSIVE"], - [["192.168.42.0/24"], ["192.168.42.0/24"], "ALLOW"], - [["192.168.0.0/16"], ["192.168.0.0/16"], "DENY"] + [["10.19.0.0/16", "10.15.15.0/24"], ["10.20.0.0/16"], "ALLOW-EXCLUSIVE"], + [["192.168.42.0/24"], ["192.168.42.0/24"], "ALLOW"], + [["192.168.0.0/16"], ["192.168.0.0/16"], "DENY"] ], bastionName => "mock", diff --git a/tests/unit/tests/is_access_granted_ipv4.t b/tests/unit/tests/is_access_granted_ipv4.t index df436232f..8806c9249 100644 --- a/tests/unit/tests/is_access_granted_ipv4.t +++ b/tests/unit/tests/is_access_granted_ipv4.t @@ -27,7 +27,7 @@ OVH::Bastion::set_mock_data( 198.51.100.32/28:12 192.0.2.23 198.51.100.48/28 - } + } ], }, }, @@ -39,7 +39,7 @@ OVH::Bastion::load_configuration( } ); -my %want; # truth table +my %want; # truth table my $undef = '_none_'; # can't use undef as a hash key, so we'll use this special value instead $want{"192.0.2.12"}{$undef}{$undef} = 'KO_ACCESS_DENIED'; diff --git a/tests/unit/tests/is_access_granted_ipv6.t b/tests/unit/tests/is_access_granted_ipv6.t index b78075470..de01f1ab6 100644 --- a/tests/unit/tests/is_access_granted_ipv6.t +++ b/tests/unit/tests/is_access_granted_ipv6.t @@ -32,7 +32,7 @@ OVH::Bastion::set_mock_data( [2001:db8:feed::/48]:12 [2001:db8::2:3] [2001:db8:deaf::/48] - } + } ], }, }, @@ -44,7 +44,7 @@ OVH::Bastion::load_configuration( } ); -my %want; # truth table +my %want; # truth table my $undef = '_none_'; # can't use undef as a hash key, so we'll use this special value instead $want{"2001:0db8:0::1:2"}{$undef}{$undef} = 'KO_ACCESS_DENIED';