diff --git a/bin/plugin/restricted/whoHasAccessTo b/bin/plugin/restricted/whoHasAccessTo index 9efaab8..8820215 100755 --- a/bin/plugin/restricted/whoHasAccessTo +++ b/bin/plugin/restricted/whoHasAccessTo @@ -96,17 +96,18 @@ sub process_account { my $account = $params{'account'}; $fnret = OVH::Bastion::is_access_granted( - account => $account, - user => $user, - ip => $ip, - ipfrom => $ENV{'OSH_IP_FROM'}, - port => $port, - proxyUser => $proxyUser, - proxyIp => $proxyIp, - proxyPort => $proxyPort, - cache => 1, - ignorePort => ($port ? 0 : 1), # return accesses without checking for the specified port - ignoreUser => ($user ? 0 : 1), # return accesses without checking for the specified remote user + account => $account, + user => $user, + ip => $ip, + ipfrom => $ENV{'OSH_IP_FROM'}, + port => $port, + proxyUser => $proxyUser, + proxyIp => $proxyIp, + proxyPort => $proxyPort, + cache => 1, + ignorePort => ($port ? 0 : 1), # return accesses without checking for the specified port + ignoreUser => ($user ? 0 : 1), # return accesses without checking for the specified remote user + ignoreProxyUser => ($proxyUser ? 0 : 1), # return accesses without checking for the specified proxy user ); if ($fnret) { my $byPersonal = 0; diff --git a/lib/perl/OVH/Bastion/allowdeny.inc b/lib/perl/OVH/Bastion/allowdeny.inc index 9e9ebc7..0770f06 100644 --- a/lib/perl/OVH/Bastion/allowdeny.inc +++ b/lib/perl/OVH/Bastion/allowdeny.inc @@ -77,8 +77,9 @@ sub is_access_way_granted { my $exactUserMatch = $params{'exactUserMatch'}; # $user must be explicitly allowed (user wildcards in grantfile will be ignored) my $exactMatch = $params{'exactMatch'}; # sets exactIpMatch exactPortMatch and exactUserMatch - my $ignoreUser = $params{'ignoreUser'}; # ignore remote user COMPLETELY (plop@, or root@, or @ will all match) - my $ignorePort = $params{'ignorePort'}; # ignore port COMPLETELY (port 22, 2345, or port-wildcard will all match) + my $ignoreUser = $params{'ignoreUser'}; # ignore remote user COMPLETELY (plop@, or root@, or @ will all match) + my $ignorePort = $params{'ignorePort'}; # ignore port COMPLETELY (port 22, 2345, or port-wildcard will all match) + my $ignoreProxyUser = $params{'ignoreProxyUser'}; # ignore proxy user COMPLETELY (if egress connection goes through a proxyjump) my $wantedUser = $params{'user'}; # if undef, means we look for a user-any allow my $wantedIp = $params{'ip'}; # can be a single IP or a subnet @@ -107,7 +108,7 @@ sub is_access_way_granted { my @acl = @{$fnret->value || []}; my $check_debug_msg = - "checking way $way/$account/$group with ignorePort=$ignorePort ignoreUser=$ignoreUser exactIpMatch=$exactIpMatch exactPortMatch=$exactPortMatch exactUserMatch=$exactUserMatch"; + "checking way $way/$account/$group with ignorePort=$ignorePort ignoreUser=$ignoreUser ignoreProxyUser=$ignoreProxyUser exactIpMatch=$exactIpMatch exactPortMatch=$exactPortMatch exactUserMatch=$exactUserMatch"; osh_debug($check_debug_msg); my %match; @@ -236,7 +237,7 @@ sub is_access_way_granted { } # check proxy user if we have a proxy ip - if (defined $wantedProxyIp) { + if (defined $wantedProxyIp && not $ignoreProxyUser) { if ($exactUserMatch) { # we want an exact match if (not defined $entry->{'proxyUser'}) {