Starship/CoreID
1
0
Fork 0
Code Issues 8 Pull Requests Releases 34 Wiki Activity

Make sudo access managed via IAM rather than group checkmark
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone Build is passing
Details

Browse Source
This commit is contained in:
Garrett Mills
2021-04-15 10:56:11 -05:00
parent f2995899ec
commit b26519ea88
3 changed files with 39 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
app/models/auth/User.model.js
View File

@@ -207,14 +207,25 @@ class User extends AuthUser {
return groups.some(group => group.grants_sudo)
}
async to_sudo() {
async to_sudo(iam_targets = []) {
const Policy = this.models.get('iam:Policy')
const granted = []
for ( const target of iam_targets ) {
if ( await Policy.check_user_access(this, target, 'sudo') ) {
granted.push(target)
}
}
return {
objectClass: ['sudoRole'],
cn: `sudo_${this.uid.toLowerCase()}`,
sudoUser: this.uid.toLowerCase(),
sudoHost: 'ALL',
sudoRunAs: 'ALL',
sudoCommand: 'ALL',
...(granted.length ? {
iamtarget: granted,
sudoHost: 'ALL',
sudoRunAs: 'ALL',
sudoCommand: 'ALL',
} : {})
}
}