fixes after review

6 years ago · cb02fd2a33
parent 1b164c1197
commit cb02fd2a33
8 changed files with 62 additions and 76 deletions
--- a/.github/workflows/freebsd.yml
+++ b/.github/workflows/freebsd.yml
@ -19,15 +19,15 @@ jobs:
          set -ex
          freebsd-version
          mount -o acls /
-          pkg install -y bash unzip rsync ca_root_nss jq fping screen flock
+          pkg install -y bash unzip rsync ca_root_nss jq fping screen flock gmake
          mkdir -p /opt/bastion
          rsync -a . /opt/bastion/
          fetch https://github.com/ovh/ovh-ttyrec/archive/master.zip
          unzip master.zip
          cd ovh-ttyrec-master/
          ./configure
-          make
-          make install
+          gmake
+          gmake install
          cd ..
          /opt/bastion/bin/admin/packages-check.sh -i
          /opt/bastion/bin/admin/install --new-install --no-wait
--- a/bin/admin/install
+++ b/bin/admin/install
@ -202,8 +202,8 @@ fi

 if [ "${opt[install-fake-ttyrec]}" = 1 ]; then
    action_doing "Installing fake ttyrec (use this only for tests!)"
-    if [ ! -e "/usr/bin/ttyrec" ]; then
-        install -o "$UID0" -g "$GID0" -m 0755 "$basedir/tests/functional/fake_ttyrec.sh" "/usr/bin/ttyrec"
+    if [ ! -e "/usr/bin/ttyrec" ] && [ ! -e "/usr/local/bin/ttyrec" ]; then
+        install -o "$UID0" -g "$GID0" -m 0755 "$basedir/tests/functional/fake_ttyrec.sh" "/usr/local/bin/ttyrec"
        action_done
    else
        action_na
--- a/bin/admin/install-ttyrec.sh
+++ b/bin/admin/install-ttyrec.sh
@ -196,11 +196,6 @@ if [ "$OS_FAMILY" != "Linux" ]; then
    exit 1
 fi

-if [ "$OS_FAMILY" != "Linux" ]; then
-    echo "Sorry, your OS ($(uname -s)) is not supported." >&2
-    exit 1
-fi
-
 while getopts :sdrah arg; do
    case "$arg" in
        s) action_static; exit 0;;
--- a/bin/shell/connect.pl
+++ b/bin/shell/connect.pl
@ -100,7 +100,12 @@ else {
 }

 # in any case, force this
-$command[0] = '/usr/bin/ttyrec';
+if (-e '/usr/local/bin/ttyrec') {
+    $command[0] = '/usr/local/bin/ttyrec';
+}
+else {
+    $command[0] = '/usr/bin/ttyrec';
+}

 # then finally launch the command !
 my $sysret = system(@command);
--- a/bin/shell/osh.pl
+++ b/bin/shell/osh.pl
@ -872,38 +872,8 @@ if ($osh_command) {
        if ($MFArequiredForPlugin ne 'none' && !$skipMFA) {
            print "As this is required to run this plugin, entering MFA phase.\n";

-            # use system() instead of OVH::Bastion::execute() because we need it to grab the term
-            my $pamtries = 3;
-            while (1) {
-                my $pamsysret;
-                if (OVH::Bastion::is_freebsd()) {
-                    $pamsysret = system('sudo', '-n', '-u', 'root', '--', '/usr/bin/env', 'pamtester', 'sshd', $sysself, 'authenticate');
-                }
-                else {
-                    $pamsysret = system('pamtester', 'sshd', $sysself, 'authenticate');
-                }
-                if ($pamsysret < 0) {
-                    main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', "MFA is required for this plugin, but this bastion is missing the `pamtester' tool, aborting");
-                }
-                elsif ($pamsysret != 0) {
-                    if (--$pamtries <= 0) {
-                        main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', "Sorry, but Multi-Factor Authentication failed, aborting");
-                    }
-                    next;
-                }
-
-                # success, if we are configured to launch a external command on pamtester success, do it.
-                # see the bastion.conf.dist file for usage example.
-                my $MFAPostCommand = OVH::Bastion::config('MFAPostCommand')->value;
-                if (ref $MFAPostCommand eq 'ARRAY' && @$MFAPostCommand) {
-                    s/%ACCOUNT%/$self/g for @$MFAPostCommand;
-                    $fnret = OVH::Bastion::execute(cmd => $MFAPostCommand, must_succeed => 1);
-                    if (!$fnret) {
-                        warn_syslog("MFAPostCommand returned a non-zero value: " . $fnret->msg);
-                    }
-                }
-                last;
-            }
+            $fnret = OVH::Bastion::do_pamtester(self => $self, sysself => $sysself);
+            $fnret or main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', $fnret->msg);
        }

        OVH::Bastion::set_terminal_mode_for_plugin(plugin => $osh_command, action => 'set');
@ -1310,38 +1280,8 @@ if ($JITMFARequired) {
        print "... skipping as your account is exempt from MFA\n";
    }
    else {
-        # use system() instead of OVH::Bastion::execute() because we need it to grab the term
-        my $pamtries = 3;
-        while (1) {
-            my $pamsysret;
-            if (OVH::Bastion::is_freebsd()) {
-                $pamsysret = system('sudo', '-n', '-u', 'root', '--', '/usr/bin/env', 'pamtester', 'sshd', $sysself, 'authenticate');
-            }
-            else {
-                $pamsysret = system('pamtester', 'sshd', $sysself, 'authenticate');
-            }
-            if ($pamsysret < 0) {
-                main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', "MFA is required for this host, but this bastion is missing the `pamtester' tool, aborting");
-            }
-            elsif ($pamsysret != 0) {
-                if (--$pamtries <= 0) {
-                    main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', "Sorry, but Multi-Factor Authentication failed, I can't connect you to this host");
-                }
-                next;
-            }
-
-            # success, if we are configured to launch a external command on pamtester success, do it.
-            # see the bastion.conf.dist file for usage example.
-            my $MFAPostCommand = OVH::Bastion::config('MFAPostCommand')->value;
-            if (ref $MFAPostCommand eq 'ARRAY' && @$MFAPostCommand) {
-                s/%ACCOUNT%/$self/g for @$MFAPostCommand;
-                $fnret = OVH::Bastion::execute(cmd => $MFAPostCommand, must_succeed => 1);
-                if (!$fnret) {
-                    warn_syslog("MFAPostCommand returned a non-zero value: " . $fnret->msg);
-                }
-            }
-            last;
-        }
+        $fnret = OVH::Bastion::do_pamtester(self => $self, sysself => $sysself);
+        $fnret or main_exit(OVH::Bastion::EXIT_MFA_FAILED, 'mfa_failed', $fnret->msg);
    }
 }

--- a/lib/perl/OVH/Bastion.pm
+++ b/lib/perl/OVH/Bastion.pm
@ -920,4 +920,49 @@ sub build_ttyrec_cmdline {
    return R('OK', value => {saveFile => $saveFile, cmd => \@ttyrec});
 }

+sub do_pamtester {
+    my %params  = @_;
+    my $sysself = $params{'sysself'};
+    my $self    = $params{'self'};
+    my $fnret;
+
+    if (!$sysself || !$self) {
+        return R('ERR_MISSING_PARAMETER', msg => "Missing mandatory arguments 'sysself' or 'self'");
+    }
+
+    # use system() instead of OVH::Bastion::execute() because we need it to grab the term
+    my $pamtries = 3;
+    while (1) {
+        my $pamsysret;
+        if (OVH::Bastion::is_freebsd()) {
+            $pamsysret = system('sudo', '-n', '-u', 'root', '--', '/usr/bin/env', 'pamtester', 'sshd', $sysself, 'authenticate');
+        }
+        else {
+            $pamsysret = system('pamtester', 'sshd', $sysself, 'authenticate');
+        }
+        if ($pamsysret < 0) {
+            return R('KO_MFA_FAILED', msg => "MFA is required for this host, but this bastion is missing the `pamtester' tool, aborting");
+        }
+        elsif ($pamsysret != 0) {
+            if (--$pamtries <= 0) {
+                return R('KO_MFA_FAILED', msg => "Sorry, but Multi-Factor Authentication failed, I can't connect you to this host");
+            }
+            next;
+        }
+
+        # success, if we are configured to launch a external command on pamtester success, do it.
+        # see the bastion.conf.dist file for usage example.
+        my $MFAPostCommand = OVH::Bastion::config('MFAPostCommand')->value;
+        if (ref $MFAPostCommand eq 'ARRAY' && @$MFAPostCommand) {
+            s/%ACCOUNT%/$self/g for @$MFAPostCommand;
+            $fnret = OVH::Bastion::execute(cmd => $MFAPostCommand, must_succeed => 1);
+            if (!$fnret) {
+                warn_syslog("MFAPostCommand returned a non-zero value: " . $fnret->msg);
+            }
+        }
+        last;
+    }
+    return R('OK_MFA_SUCCESS');
+}
+
 1;
--- a/tests/functional/docker/target_role.sh
+++ b/tests/functional/docker/target_role.sh
@ -56,7 +56,7 @@ cat /home/"$TARGET_USER"/.ssh/id_*.pub > ~test-shell_/.ssh/authorized_keys
 add_user_to_group_compat test-shell_ bastion-nopam

 # install a fake ttyrec just so that our connection tests work
-if [ ! -e /usr/bin/ttyrec ] ; then
+if ! command -v ttyrec >/dev/null; then
    "$basedir"/bin/admin/install --nothing --no-wait --install-fake-ttyrec
 fi

--- a/tests/functional/tests.d/350-groups.sh
+++ b/tests/functional/tests.d/350-groups.sh
@ -883,6 +883,7 @@ EOS
    success groupModify guest_ttl_limit $a1 --osh groupModify --group $group1 --guest-ttl-limit 0
    json .command groupModify .error_code OK

+    # if we're just counting the number of tests, don't sleep
    [ "$COUNTONLY" != 1 ] && sleep 1

    # group1: a1(owner,aclkeeper,gatekeeper,member) a2() servers(127.0.0.10,127.0.0.11)